You are not logged in.

Wednesday, August 20th 2014, 12:41pm

The Avira Forum will be moved to the new platform Avira Answers soon. We'll make the transition of existing user profiles and threads as smooth as possible.
New visitors are able to log in on Avira Answers with the existing Avira account directly or sign up with a new account.

  • "I2aito" started this thread

Date of registration:
May 10th 2010

  • Send private message

1

Monday, May 10th 2010, 6:48am

purging an infected system

hi, ive had avira for awhile and its always done its job, but as of recently worms, trojans, and spyware have slipped through the cracks, ive done a system scan and i havee a couple of unwanted programs, but to get to the point, can i get any help or information on how to purge my computer? any help would be appreciated, if im in the wrong topic, i apologize

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

2

Monday, May 10th 2010, 8:45am

Hi I2aito,

Please post here a scan report or any detection logs.
Scotty is currently on patrol


  • "I2aito" started this thread

Date of registration:
May 10th 2010

  • Send private message

3

Monday, May 10th 2010, 11:00pm

currently i cant read the avira report because it says the file is infected, i did run a report with another piece of software that i had preinstalled here is that report, i do not know if it i helps but here it is


Logfile of HijackThis v1.99.1
Scan saved at 3:59:08 PM, on 5/10/2010
Platform: Windows XP SP3, v.5938 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21228)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\LClock\lclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GBM\GRemote Pro\GRemoteServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Hunt Virus Utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [GRemoteServer Pro] C:\Program Files\GBM\GRemote Pro\GRemoteServer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - Startup: GmoteServer.lnk = C:\Program Files\GmoteServer\GmoteServer.exe
O4 - Startup: Styler.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.buy-security-essentials.com
O15 - Trusted Zone: http://*.download-soft-package.com
O15 - Trusted Zone: http://*.download-software-package.com
O15 - Trusted Zone: http://*.get-key-se10.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.buy-security-essentials.com (HKLM)
O15 - Trusted Zone: http://*.get-key-se10.com (HKLM)
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WBSrv - C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

4

Monday, May 10th 2010, 11:04pm

Hi I2aito,

currently i cant read the avira report because it says the file is infected,


The file of Avira is infected?

The HJT which you ran is old, download and run the newest one.
Scotty is currently on patrol


  • "I2aito" started this thread

Date of registration:
May 10th 2010

  • Send private message

5

Thursday, May 13th 2010, 8:57pm

i run a report with avira, i try to see the report in-depth but it closes and a window pops up that says the file is infected

here is the updated HJT

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:00:11 PM, on 5/13/2010
Platform: Windows XP SP3, v.5938 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21228)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\LClock\lclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GBM\GRemote Pro\GRemoteServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [GRemoteServer Pro] C:\Program Files\GBM\GRemote Pro\GRemoteServer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKUS\S-1-5-19\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [LClock] C:\Program Files\LClock\LClock.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: GmoteServer.lnk = C:\Program Files\GmoteServer\GmoteServer.exe
O4 - Startup: Styler.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://*.buy-security-essentials.com
O15 - Trusted Zone: http://*.download-soft-package.com
O15 - Trusted Zone: http://*.download-software-package.com
O15 - Trusted Zone: http://*.get-key-se10.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.buy-security-essentials.com (HKLM)
O15 - Trusted Zone: http://*.get-key-se10.com (HKLM)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7067 bytes

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

6

Thursday, May 13th 2010, 10:22pm

Hi I2aito,

Your PC is infected by Worm.Win32.Netsky.

1. open HJT - Do a system scan only - tick all these items - press Fix. Note! During this, all applications must be closed.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe


O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe


O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe


O15 - Trusted Zone: http://*.download-soft-package.com
O15 - Trusted Zone: http://*.download-software-package.com


O15 - Trusted Zone: http://*.is-software-download.com


2. Follow these instructions and post back the MBAM scan report. Note! When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove all detected threads.

3. Download LSPFix from here, run LSPFix, and take a screenshot. But don't make any changes and don't click Finish, just open the LSPFix window, take a screenshot and then close it. Then post the picture here. [Instructions how to post a screenshot on the forum]

In your next reply, I want to see MBAM scan report and LSPFix screenshot.
Scotty is currently on patrol

This post has been edited 1 times, last edit by "Farger" (May 13th 2010, 10:23pm)


  • "I2aito" started this thread

Date of registration:
May 10th 2010

  • Send private message

7

Sunday, May 16th 2010, 4:14am




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4105

Windows 5.1.2600 Service Pack 3, v.5938
Internet Explorer 7.0.5730.13

5/15/2010 9:04:05 PM
mbam-log-2010-05-15 (21-04-05).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 175938
Time elapsed: 26 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\SE2010 (Rogue.Securityessentials2010) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appinit_dlls (Trojan.Witkinat) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\crntdll (Trojan.Witkinat) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> No action taken.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\Securityessentials2010 (Rogue.SecurityEssentials2010) -> No action taken.

Files Infected:
C:\Documents and Settings\Administrator\Application Data\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> No action taken.
C:\Documents and Settings\Default User\Application Data\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> No action taken.
C:\Documents and Settings\FFFFFFFUUUUUUUU-\Application Data\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> No action taken.
C:\Documents and Settings\jose\Application Data\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> No action taken.
C:\Documents and Settings\jose\Local Settings\Temp\svchost.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\jose\Local Settings\Temp\B0.tmp (Rootkit.TDSS) -> No action taken.
C:\Documents and Settings\jose\Local Settings\Temp\B2.tmp (Rootkit.TDSS) -> No action taken.
C:\Documents and Settings\jose\Local Settings\Temporary Internet Files\Content.IE5\7IJUKCQ2\exe[1].exe (Rootkit.Dropper) -> No action taken.
C:\Documents and Settings\mely\Application Data\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> No action taken.
C:\WINDOWS\system32\11942.exe (Adware.BHO) -> No action taken.
C:\WINDOWS\system32\2995.exe (Adware.BHO) -> No action taken.
C:\WINDOWS\system32\4827.exe (Adware.BHO) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\Application Data\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> No action taken.
C:\WINDOWS\system32\helpers32.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\ES15.exe (Rogue.SecurityEsssentials) -> No action taken.
C:\Documents and Settings\jose\Application Data\Microsoft\Internet Explorer\Quick Launch\Security essentials 2010.lnk (Rogue.SecurityEssentials2010) -> No action taken.
C:\Documents and Settings\jose\Start Menu\Security essentials 2010.lnk (Rogue.SecurityEssentials2010) -> No action taken.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> No action taken.
C:\Program Files\setup.exe (Rogue.Installer) -> No action taken.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\WORK.DAT (Malware.Trace) -> No action taken.

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

8

Sunday, May 16th 2010, 9:34am

Hi I2aito,

LSP is good. Now update MBAM, run full scan again but when the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove all detected threads. Post back the result.
Also, update Avira, scan your PC with the help of Avira and post back the scan report too.
And new HJT log will be useful.
In next reply, please post 1) MBAM scan report; 2) Avira scan report; 3) new HJT.
Scotty is currently on patrol


  • "I2aito" started this thread

Date of registration:
May 10th 2010

  • Send private message

9

Monday, May 17th 2010, 2:04am

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:53:34 PM, on 5/16/2010
Platform: Windows XP SP3, v.5938 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21228)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GBM\GRemote Pro\GRemoteServer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Styler\Styler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [GRemoteServer Pro] C:\Program Files\GBM\GRemote Pro\GRemoteServer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [LClock] C:\Program Files\LClock\LClock.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: GmoteServer.lnk = C:\Program Files\GmoteServer\GmoteServer.exe
O4 - Startup: Styler.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6676 bytes

  • "I2aito" started this thread

Date of registration:
May 10th 2010

  • Send private message

10

Monday, May 17th 2010, 2:05am

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4105

Windows 5.1.2600 Service Pack 3, v.5938
Internet Explorer 7.0.5730.13

5/16/2010 6:59:48 PM
mbam-log-2010-05-16 (18-59-48).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 175930
Time elapsed: 23 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

  • "I2aito" started this thread

Date of registration:
May 10th 2010

  • Send private message

11

Monday, May 17th 2010, 2:05am

Avira AntiVir Personal
Report file date: Sunday, May 16, 2010 17:41

Scanning for 2118977 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3, v.5938) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : STUDENT-D02B507

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 20:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 20:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 02:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 01:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 00:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 19:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 06:28:55
VBASE006.VDF : 7.10.6.83 2048 Bytes 4/15/2010 06:28:55
VBASE007.VDF : 7.10.6.84 2048 Bytes 4/15/2010 06:28:55
VBASE008.VDF : 7.10.6.85 2048 Bytes 4/15/2010 06:28:56
VBASE009.VDF : 7.10.6.86 2048 Bytes 4/15/2010 06:28:56
VBASE010.VDF : 7.10.6.87 2048 Bytes 4/15/2010 06:28:56
VBASE011.VDF : 7.10.6.88 2048 Bytes 4/15/2010 06:28:57
VBASE012.VDF : 7.10.6.89 2048 Bytes 4/15/2010 06:28:57
VBASE013.VDF : 7.10.6.90 2048 Bytes 4/15/2010 06:28:57
VBASE014.VDF : 7.10.6.123 126464 Bytes 4/19/2010 06:28:58
VBASE015.VDF : 7.10.6.152 123392 Bytes 4/21/2010 06:28:59
VBASE016.VDF : 7.10.6.178 122880 Bytes 4/22/2010 06:29:01
VBASE017.VDF : 7.10.6.206 120320 Bytes 4/26/2010 06:29:02
VBASE018.VDF : 7.10.6.232 99328 Bytes 4/28/2010 06:29:03
VBASE019.VDF : 7.10.7.2 155648 Bytes 4/30/2010 06:29:04
VBASE020.VDF : 7.10.7.26 119808 Bytes 5/4/2010 06:29:05
VBASE021.VDF : 7.10.7.51 118272 Bytes 5/6/2010 06:29:06
VBASE022.VDF : 7.10.7.75 404992 Bytes 5/10/2010 21:03:07
VBASE023.VDF : 7.10.7.100 125440 Bytes 5/13/2010 22:28:37
VBASE024.VDF : 7.10.7.101 2048 Bytes 5/13/2010 22:28:37
VBASE025.VDF : 7.10.7.102 2048 Bytes 5/13/2010 22:28:37
VBASE026.VDF : 7.10.7.103 2048 Bytes 5/13/2010 22:28:37
VBASE027.VDF : 7.10.7.104 2048 Bytes 5/13/2010 22:28:38
VBASE028.VDF : 7.10.7.105 2048 Bytes 5/13/2010 22:28:38
VBASE029.VDF : 7.10.7.106 2048 Bytes 5/13/2010 22:28:38
VBASE030.VDF : 7.10.7.107 2048 Bytes 5/13/2010 22:28:39
VBASE031.VDF : 7.10.7.111 68096 Bytes 5/14/2010 22:28:39
Engineversion : 8.2.1.242
AEVDF.DLL : 8.1.2.0 106868 Bytes 5/10/2010 06:29:32
AESCRIPT.DLL : 8.1.3.29 1343866 Bytes 5/13/2010 21:03:16
AESCN.DLL : 8.1.6.1 127347 Bytes 5/13/2010 21:03:14
AESBX.DLL : 8.1.3.1 254324 Bytes 5/10/2010 06:29:33
AERDL.DLL : 8.1.4.6 541043 Bytes 5/10/2010 06:29:29
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 20:34:51
AEOFFICE.DLL : 8.1.1.0 201081 Bytes 5/13/2010 21:03:13
AEHEUR.DLL : 8.1.1.27 2670967 Bytes 5/10/2010 06:29:26
AEHELP.DLL : 8.1.11.3 242039 Bytes 4/2/2010 00:05:25
AEGEN.DLL : 8.1.3.9 377203 Bytes 5/13/2010 21:03:12
AEEMU.DLL : 8.1.2.0 393588 Bytes 5/10/2010 06:29:13
AECORE.DLL : 8.1.15.3 192886 Bytes 5/13/2010 21:03:11
AEBB.DLL : 8.1.1.0 53618 Bytes 5/10/2010 06:29:11
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 20:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 20:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/19/2010 00:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 20:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 20:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 20:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 17:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 20:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 23:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 22:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 21:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 22:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, May 16, 2010 17:41

Starting search for hidden objects.
HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Preferences\backgroundscancompletedate
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-776561741-2147156445-1003\Software\Microsoft\Internet Explorer\Desktop\General\backupwallpaper
[NOTE] The registry entry is invisible.
%SystemRoot%\system32\warnings.html
C:\WINDOWS\system32\warnings.html
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-776561741-2147156445-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\shellstate
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-776561741-2147156445-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\161\Shell\itempos1360x768(1)
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '34' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '48' Module(s) have been scanned
Scan process 'HiJackThis.exe' - '49' Module(s) have been scanned
Scan process 'msdtc.exe' - '46' Module(s) have been scanned
Scan process 'dllhost.exe' - '64' Module(s) have been scanned
Scan process 'dllhost.exe' - '51' Module(s) have been scanned
Scan process 'vssvc.exe' - '54' Module(s) have been scanned
Scan process 'avscan.exe' - '73' Module(s) have been scanned
Scan process 'avcenter.exe' - '66' Module(s) have been scanned
Scan process 'mbam.exe' - '52' Module(s) have been scanned
Scan process 'firefox.exe' - '119' Module(s) have been scanned
Scan process 'wuauclt.exe' - '52' Module(s) have been scanned
Scan process 'Styler.exe' - '37' Module(s) have been scanned
Scan process 'sidebar.exe' - '84' Module(s) have been scanned
Scan process 'GRemoteServer.exe' - '48' Module(s) have been scanned
Scan process 'ctfmon.exe' - '34' Module(s) have been scanned
Scan process 'sidebar.exe' - '72' Module(s) have been scanned
Scan process 'lclock.exe' - '31' Module(s) have been scanned
Scan process 'RocketDock.exe' - '32' Module(s) have been scanned
Scan process 'avgnt.exe' - '57' Module(s) have been scanned
Scan process 'winampa.exe' - '26' Module(s) have been scanned
Scan process 'jusched.exe' - '23' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '33' Module(s) have been scanned
Scan process 'hkcmd.exe' - '37' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '28' Module(s) have been scanned
Scan process 'UnlockerAssistant.exe' - '25' Module(s) have been scanned
Scan process 'Explorer.EXE' - '131' Module(s) have been scanned
Scan process 'alg.exe' - '39' Module(s) have been scanned
Scan process 'WMPNetwk.exe' - '70' Module(s) have been scanned
Scan process 'avshadow.exe' - '31' Module(s) have been scanned
Scan process 'jqs.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'avguard.exe' - '58' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'sched.exe' - '50' Module(s) have been scanned
Scan process 'spoolsv.exe' - '55' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '186' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '56' Module(s) have been scanned
Scan process 'lsass.exe' - '64' Module(s) have been scanned
Scan process 'services.exe' - '34' Module(s) have been scanned
Scan process 'winlogon.exe' - '86' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1661' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\jose\Local Settings\Temp\~TMAE.tmp
[DETECTION] Is the TR/Agent.AN.1990 Trojan
C:\Documents and Settings\jose\Local Settings\Temp\plugtmp-42\plugin-Notes6.pdf
[0] Archive type: PDF Stream
[DETECTION] Contains recognition pattern of the EXP/Pdfka exploit
--> Object
[DETECTION] Contains recognition pattern of the EXP/Pdfka exploit
C:\WINDOWS\system32\15724.exe
[DETECTION] Is the TR/Spy.Insain.YV Trojan

Beginning disinfection:
C:\WINDOWS\system32\15724.exe
[DETECTION] Is the TR/Spy.Insain.YV Trojan
[NOTE] The file was moved to the quarantine directory under the name '4ead3991.qua'.
C:\Documents and Settings\jose\Local Settings\Temp\plugtmp-42\plugin-Notes6.pdf
[DETECTION] Contains recognition pattern of the EXP/Pdfka exploit
[NOTE] The file was moved to the quarantine directory under the name '5678160d.qua'.
C:\Documents and Settings\jose\Local Settings\Temp\~TMAE.tmp
[DETECTION] Is the TR/Agent.AN.1990 Trojan
[NOTE] The file was moved to the quarantine directory under the name '047f4cfd.qua'.


End of the scan: Sunday, May 16, 2010 18:33
Used time: 37:49 Minute(s)

The scan has been done completely.

6686 Scanned directories
107110 Files were scanned
3 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
3 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
107107 Files not concerned
562 Archives were scanned
0 Warnings
3 Notes
245478 Objects were scanned with rootkit scan
6 Hidden objects were found

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

12

Monday, May 17th 2010, 9:01am

Hi I2aito,

How is your PC now?
After the second MBAM scan, why it didn't find anything? Due to the first MBAM scan report - no action was taken, due to the second scan report - everything is clean. Did you do anything by yourself?
P.S. I don't like some hidden objects :S
Scotty is currently on patrol


  • "I2aito" started this thread

Date of registration:
May 10th 2010

  • Send private message

13

Monday, May 17th 2010, 10:16pm

it is much better now, i honestly did not do anything by myself, i just followed your instructions and that's what i got.

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

14

Monday, May 17th 2010, 10:32pm

Hi I2aito,

Hmmm, I assume that you clicked on "Remove selected" in MBAM, am I right?
Can you update Avira automatically?

I'm doubting in these objects, lets wait, maybe someone will confirm my thoughts:

HKEY_USERS\S-1-5-21-1177238915-776561741-2147156445-1003\Software\Microsoft\Internet Explorer\Desktop\General\backupwallpaper ------------------------------>
%SystemRoot%\system32\warnings.html
C:\WINDOWS\system32\warnings.html

I think that this is a fake screensaver which was created by Securityessentials2010

HKEY_USERS\S-1-5-21-1177238915-776561741-2147156445-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\161\Shell\itempos1360x768(1)

I don't recognize this :S

So, please do the following:

1. Please download and install CCleaner. Install it. Open CCleaner - Registry - Scan for issues - click on Fix selected issues (also you can create a backup, CCleaner will ask you about it).

Then open CCleaner again - Cleaner - Analyze - Run Cleaner (Note! This operation will delete your browser's history).

2. Follow these instructions and post back the SAS scan report.
Scotty is currently on patrol

This post has been edited 1 times, last edit by "Farger" (May 17th 2010, 10:35pm)


Date of registration:
Jan 5th 2009

Operating System:
XP

  • Send private message

15

Tuesday, May 18th 2010, 5:13pm

Please use our RescueCd utility:

- download it to a clean system (other than your infected computer)
- launch rescuecd.exe file and place a blank CD in your writer unit
- choose your burning device from the drop down list and press burn button. Please wait until the disc is created. At the end you should see a success message
- place the rescue disc in the infected computer and boot from it.
- scan your PC
Thanks for choosing Avira
Alexandru Manea
Avira Operations GmbH & Co. KG