PC Checkup - HJT log

macdawg · 06-12-2008, 08:20 PM

I scan with a few scanners each week and a-squared found a trojan this week in an mp4 audio file my girlfriend downloaded (I didn't write down the name of the trojan unfortunately) I've since ran scans with anti-vir, a-squared, and spybot in safe mode & came up clean but wanted to post a log in here to make sure things looked alright. I ran both HJT & Deckards.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:17 PM, on 6/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Microsoft Update
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 2749 bytes

macdawg · 06-12-2008, 08:21 PM

Deckard's System Scanner v20071014.68
Run by Kris on 2008-06-12 20:04:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Kris.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:27 PM, on 6/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\Kris\Desktop\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\Kris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Microsoft Update
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 2786 bytes

-- Files created between 2008-05-12 and 2008-06-12 -----------------------------

2008-06-12 20:04:05 0 dr-h----- C:\Documents and Settings\Kris\Recent
2008-06-08 14:48:18 0 d-------- C:\Program Files\PeerGuardian2
2008-06-07 19:24:49 0 d-------- C:\WINDOWS\Logs
2008-06-03 19:37:12 0 d-------- C:\Program Files\LimeWire
2008-05-31 18:31:48 0 d-------- C:\Program Files\Winamp
2008-05-31 18:31:48 0 d-------- C:\Documents and Settings\Kris\Application Data\Winamp
2008-05-29 18:13:19 0 d-------- C:\Program Files\CCleaner
2008-05-28 18:46:07 0 d-------- C:\Documents and Settings\Kris\Application Data\Any Video Converter
2008-05-28 18:46:05 0 d-------- C:\Program Files\Any Video Converter
2008-05-27 21:05:51 0 d-------- C:\Program Files\QuickMediaConverter
2008-05-25 15:21:45 580114 --a------ C:\WINDOWS\system32\x264vfw.dll
2008-05-14 21:17:56 0 d-------- C:\Program Files\Bonjour
2008-05-14 21:17:13 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-05-14 21:16:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple

-- Find3M Report ---------------------------------------------------------------

2008-06-12 19:13:01 0 d-------- C:\Program Files\a-squared Free
2008-06-11 21:37:52 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-08 21:12:40 9390251 --a------ C:\Program Files\vlc-0.8.6h-win32.exe
2008-06-08 18:34:52 0 d-------- C:\Documents and Settings\Kris\Application Data\uTorrent
2008-06-06 19:06:46 0 d-------- C:\Program Files\SpywareBlaster
2008-06-05 20:44:52 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-01 00:30:17 0 d-------- C:\Documents and Settings\Kris\Application Data\SiteAdvisor
2008-06-01 00:28:59 0 d-------- C:\Documents and Settings\Kris\Application Data\Mozilla
2008-05-29 19:38:27 0 d-------- C:\Documents and Settings\Kris\Application Data\dvdcss
2008-05-28 23:45:48 0 d-------- C:\Program Files\dvdSanta
2008-05-14 21:56:50 0 d-------- C:\Program Files\Common Files
2008-05-11 22:23:23 0 d-------- C:\Program Files\Avira
2008-05-08 23:53:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-30 21:05:22 2279607 --a------ C:\Program Files\TGTC_XP.pdf
2008-04-29 22:07:13 0 d-------- C:\Program Files\Foxit Software
2008-04-29 22:06:00 0 d-------- C:\Program Files\Trend Micro
2008-04-27 20:59:48 0 d-------- C:\Documents and Settings\Kris\Application Data\W Photo Studio Viewer
2008-04-27 03:01:00 33792 --a------ C:\Program Files\resume.doc
2008-04-23 21:11:24 0 d-------- C:\Program Files\Messenger
2008-04-23 21:11:07 0 d-------- C:\Program Files\Movie Maker
2008-04-20 13:40:22 0 d-------- C:\Program Files\DivX
2008-04-16 21:28:06 0 d-------- C:\Program Files\Lavasoft
2008-04-12 20:01:29 5720 --a------ C:\WINDOWS\mozver.dat
2008-03-31 16:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 16:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 16:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 16:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 16:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-21 15:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 15:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 15:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 15:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoRecentDocsNetHood"=01000000
"NoLowDiskSpaceChecks"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoInstrumentation"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk.disabled
backup=C:\WINDOWS\pss\Logitech SetPoint.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Smart Wizard Wireless Settings.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk
backup=C:\WINDOWS\pss\Smart Wizard Wireless Settings.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
CTXFIREG.exe /FAIL1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MS Config.exe /auto
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"Logitech Hardware Abstraction Layer"=KHALMNPR.EXE
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"nwiz"=nwiz.exe /install
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

-- End of Deckard's System Scanner: finished at 2008-06-12 20:06:09 ------------

macdawg · 06-12-2008, 08:25 PM

respost

Formerly the latter · 06-12-2008, 09:58 PM

Please print out or save this page to a notepad before continuing as you will not be able to access this information while you undergo the fixing process.

Step1 | OTMoveIt2 Script

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
```
[kill explorer]
C:\WINDOWS\system32\x264vfw.dll
[start explorer]
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step2 | MBAM Scan

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step3 | Jotti Malware Upload

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\Program Files\resume.doc
Click on the submit button
Please post the results in your next reply.

Logs Required In Next Post
--------------------------------

OTMoveIt2 Log
MBAM Scan Log
Jotti Scan Log

macdawg · 06-13-2008, 12:20 AM

techpro5238, really appreciate your help, you rule! So far I think so good (only hitch was first time I ran OTMoveIt, it froze & crashed, closed & re-ran it & it worked), here are the logs.

1. Explorer killed successfully
DllUnregisterServer procedure not found in C:\WINDOWS\system32\x264vfw.dll
C:\WINDOWS\system32\x264vfw.dll NOT unregistered.
C:\WINDOWS\system32\x264vfw.dll moved successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06122008_235839

2. Malwarebytes' Anti-Malware 1.17
Database version: 851

12:09:34 AM 6/13/2008
mbam-log-6-13-2008 (00-09-34).txt

Scan type: Quick Scan
Objects scanned: 37609
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

3. Scan taken on 13 Jun 2008 05:11:20 (GMT) A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Formerly the latter · 06-13-2008, 09:26 AM

Step1 | Kasperky WebScanner

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Step2 | ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step3 | OTCleanIt

Please download OTCleanIt and save it to Desktop.

Double-click OTCleanIt.exe
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes

Logs Required In Next Post
--------------------------------

Kasperky WebScan Log
New Hijackthis Log
Update on System Behavior

macdawg · 06-15-2008, 11:31 PM

Sunday, June 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 16, 2008 02:43:29
Records in database: 870683
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics
Files scanned 34696
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:36:12

No malware has been detected. The scan area is clean.
The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:43 PM, on 6/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Microsoft Update
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 2783 bytes

System behavior is good as far as no pop ups, normal shut down & start up times.

Thank you for your help techpro

Formerly the latter · 06-16-2008, 05:39 AM

Your all clean Macdawg

Just reset your restore points by following the below so I can ensure that your all clean. Good work on your time and effort to destroy the malware and listen to my instructions

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

06-12-2008, 08:20 PM	#1 (permalink)
macdawg Ultra Techie Join Date: Mar 2005 Posts: 785	PC Checkup - HJT log I scan with a few scanners each week and a-squared found a trojan this week in an mp4 audio file my girlfriend downloaded (I didn't write down the name of the trojan unfortunately) I've since ran scans with anti-vir, a-squared, and spybot in safe mode & came up clean but wanted to post a log in here to make sure things looked alright. I ran both HJT & Deckards. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:02:17 PM, on 6/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Microsoft Update R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file) O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- End of file - 2749 bytes

06-12-2008, 08:21 PM	#2 (permalink)
macdawg Ultra Techie Join Date: Mar 2005 Posts: 785	Re: PC Checkup - HJT log Deckard's System Scanner v20071014.68 Run by Kris on 2008-06-12 20:04:23 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Kris.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:04:27 PM, on 6/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Documents and Settings\Kris\Desktop\dss.exe C:\PROGRA~1\Trend Micro\HijackThis\Kris.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Microsoft Update R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = .local O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file) O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- End of file - 2786 bytes -- Files created between 2008-05-12 and 2008-06-12 ----------------------------- 2008-06-12 20:04:05 0 dr-h----- C:\Documents and Settings\Kris\Recent 2008-06-08 14:48:18 0 d-------- C:\Program Files\PeerGuardian2 2008-06-07 19:24:49 0 d-------- C:\WINDOWS\Logs 2008-06-03 19:37:12 0 d-------- C:\Program Files\LimeWire 2008-05-31 18:31:48 0 d-------- C:\Program Files\Winamp 2008-05-31 18:31:48 0 d-------- C:\Documents and Settings\Kris\Application Data\Winamp 2008-05-29 18:13:19 0 d-------- C:\Program Files\CCleaner 2008-05-28 18:46:07 0 d-------- C:\Documents and Settings\Kris\Application Data\Any Video Converter 2008-05-28 18:46:05 0 d-------- C:\Program Files\Any Video Converter 2008-05-27 21:05:51 0 d-------- C:\Program Files\QuickMediaConverter 2008-05-25 15:21:45 580114 --a------ C:\WINDOWS\system32\x264vfw.dll 2008-05-14 21:17:56 0 d-------- C:\Program Files\Bonjour 2008-05-14 21:17:13 0 d------c- C:\WINDOWS\system32\DRVSTORE 2008-05-14 21:16:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple -- Find3M Report --------------------------------------------------------------- 2008-06-12 19:13:01 0 d-------- C:\Program Files\a-squared Free 2008-06-11 21:37:52 0 d-------- C:\Program Files\Mozilla Thunderbird 2008-06-08 21:12:40 9390251 --a------ C:\Program Files\vlc-0.8.6h-win32.exe 2008-06-08 18:34:52 0 d-------- C:\Documents and Settings\Kris\Application Data\uTorrent 2008-06-06 19:06:46 0 d-------- C:\Program Files\SpywareBlaster 2008-06-05 20:44:52 0 d-------- C:\Program Files\Microsoft Silverlight 2008-06-01 00:30:17 0 d-------- C:\Documents and Settings\Kris\Application Data\SiteAdvisor 2008-06-01 00:28:59 0 d-------- C:\Documents and Settings\Kris\Application Data\Mozilla 2008-05-29 19:38:27 0 d-------- C:\Documents and Settings\Kris\Application Data\dvdcss 2008-05-28 23:45:48 0 d-------- C:\Program Files\dvdSanta 2008-05-14 21:56:50 0 d-------- C:\Program Files\Common Files 2008-05-11 22:23:23 0 d-------- C:\Program Files\Avira 2008-05-08 23:53:35 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-04-30 21:05:22 2279607 --a------ C:\Program Files\TGTC_XP.pdf 2008-04-29 22:07:13 0 d-------- C:\Program Files\Foxit Software 2008-04-29 22:06:00 0 d-------- C:\Program Files\Trend Micro 2008-04-27 20:59:48 0 d-------- C:\Documents and Settings\Kris\Application Data\W Photo Studio Viewer 2008-04-27 03:01:00 33792 --a------ C:\Program Files\resume.doc 2008-04-23 21:11:24 0 d-------- C:\Program Files\Messenger 2008-04-23 21:11:07 0 d-------- C:\Program Files\Movie Maker 2008-04-20 13:40:22 0 d-------- C:\Program Files\DivX 2008-04-16 21:28:06 0 d-------- C:\Program Files\Lavasoft 2008-04-12 20:01:29 5720 --a------ C:\WINDOWS\mozver.dat 2008-03-31 16:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2008-03-31 16:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2008-03-31 16:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2008-03-31 16:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll 2008-03-31 16:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2008-03-21 15:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2008-03-21 15:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2008-03-21 15:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2008-03-21 15:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll -- Registry Dump --------------------------------------------------------------- Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer] "NoRecentDocsNetHood"=01000000 "NoLowDiskSpaceChecks"=1 (0x1) "NoSharedDocuments"=1 (0x1) "NoInstrumentation"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] C:\WINDOWS\System32\dimsntfy.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk.disabled] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk.disabled backup=C:\WINDOWS\pss\Logitech SetPoint.lnk.disabledCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Smart Wizard Wireless Settings.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk backup=C:\WINDOWS\pss\Smart Wizard Wireless Settings.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] CTXFIHLP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg] CTXFIREG.exe /FAIL1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "C:\Program Files\Winamp\winampa.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "ose"=3 (0x3) "gusvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-] "MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MS Config.exe /auto "NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit "NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup "Logitech Hardware Abstraction Layer"=KHALMNPR.EXE "NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe "nwiz"=nwiz.exe /install "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] eapsvcs eaphost dot3svc dot3svc HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs napagent hkmsvc -- End of Deckard's System Scanner: finished at 2008-06-12 20:06:09 ------------

06-12-2008, 08:25 PM	#3 (permalink)
macdawg Ultra Techie Join Date: Mar 2005 Posts: 785	Re: PC Checkup - HJT log respost Last edited by macdawg; 06-12-2008 at 08:32 PM.

06-12-2008, 09:58 PM	#4 (permalink)
Formerly the latter Super Techie Join Date: Aug 2007 Posts: 457	Re: PC Checkup - HJT log Please print out or save this page to a notepad before continuing as you will not be able to access this information while you undergo the fixing process. Step1 \| OTMoveIt2 Script Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator") Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Code: [kill explorer] C:\WINDOWS\system32\x264vfw.dll [start explorer] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste. Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTMoveIt2 If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Step2 \| MBAM Scan Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Step3 \| Jotti Malware Upload Jotti File Submission: Please go to Jotti's malware scan Copy and paste the following file path into the "File to upload & scan"box on the top of the page: C:\Program Files\resume.doc Click on the submit button Please post the results in your next reply. Logs Required In Next Post -------------------------------- OTMoveIt2 Log MBAM Scan Log Jotti Scan Log

06-13-2008, 12:20 AM	#5 (permalink)
macdawg Ultra Techie Join Date: Mar 2005 Posts: 785	Re: PC Checkup - HJT log techpro5238, really appreciate your help, you rule! So far I think so good (only hitch was first time I ran OTMoveIt, it froze & crashed, closed & re-ran it & it worked), here are the logs. 1. Explorer killed successfully DllUnregisterServer procedure not found in C:\WINDOWS\system32\x264vfw.dll C:\WINDOWS\system32\x264vfw.dll NOT unregistered. C:\WINDOWS\system32\x264vfw.dll moved successfully. Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06122008_235839 2. Malwarebytes' Anti-Malware 1.17 Database version: 851 12:09:34 AM 6/13/2008 mbam-log-6-13-2008 (00-09-34).txt Scan type: Quick Scan Objects scanned: 37609 Time elapsed: 2 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) 3. Scan taken on 13 Jun 2008 05:11:20 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing

06-13-2008, 09:26 AM	#6 (permalink)
Formerly the latter Super Techie Join Date: Aug 2007 Posts: 457	Re: PC Checkup - HJT log Step1 \| Kasperky WebScanner Please do an online scan with Kaspersky WebScanner Click on Accept You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Step2 \| ATF Cleaner Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Step3 \| OTCleanIt Please download OTCleanIt and save it to Desktop. Double-click OTCleanIt.exe Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes Logs Required In Next Post -------------------------------- Kasperky WebScan Log New Hijackthis Log Update on System Behavior

06-15-2008, 11:31 PM	#7 (permalink)
macdawg Ultra Techie Join Date: Mar 2005 Posts: 785	Re: PC Checkup - HJT log Sunday, June 15, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Monday, June 16, 2008 02:43:29 Records in database: 870683 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics Files scanned 34696 Threat name 0 Infected objects 0 Suspicious objects 0 Duration of the scan 00:36:12 No malware has been detected. The scan area is clean. The selected area was scanned. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:28:43 PM, on 6/15/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Microsoft Update R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file) O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- End of file - 2783 bytes System behavior is good as far as no pop ups, normal shut down & start up times. Thank you for your help techpro

06-16-2008, 05:39 AM	#8 (permalink)
Formerly the latter Super Techie Join Date: Aug 2007 Posts: 457	Re: PC Checkup - HJT log Your all clean Macdawg Just reset your restore points by following the below so I can ensure that your all clean. Good work on your time and effort to destroy the malware and listen to my instructions To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (Windows XP) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check Turn off System Restore. Click Apply, and then click OK.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Hi Guys, Can someone help me with smitfraud. here is mu HJT log	Rosco_beats	HijackThis Logs (finished)	13	05-15-2008 07:05 AM
HJT Log. Internet Issues	Lukey114	HijackThis Logs (finished)	4	04-16-2008 08:02 AM
HJT Log	carnageX	HijackThis Logs (finished)	5	03-15-2008 11:17 AM
Can you help? HJT log attached...	dancingslave	HijackThis Logs (finished)	10	03-15-2008 10:14 AM
HJT Log.	Lukey114	HijackThis Logs (finished)	20	12-20-2007 05:49 AM