ian pollington Posted April 10, 2007 Share Posted April 10, 2007 Hi, I know that this is the wrong Forum but I can't access anything that has the words CCleaner in it! I have been using it for years but suddenly the screen goes immediately to all wallpaper and then the desktop icons re-appear whenever: 1) I try and open CCleaner from the desktop, from the start menu or from program manager. 2) I type CCleaner into a search engine and this closes the browser too! 3) After running ccsetup the language screen appears but then it all goes again 4) entering ccsetup or CCleaner into search on windows explorer. 5) right click on the desktop icon for cc 6) try and delete the program in remove programs I can't quite figure when this started but I haven't loaded 1.38 yet - and can't. I am running XP, Office 2007 and Panda. I cannot remember anything being updated recently I have run virus checks from panda and using on-line and nothing is found. Any assistance would be much appreciated! Thanks Ian Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted April 10, 2007 Moderators Share Posted April 10, 2007 Please post a hijackthis log in this part of the forum as soon as possible. http://forum.piriform.com/index.php?showforum=12 If for some reason it won't let you do anything with hijackthis (like it won't with CCleaner),please say so in the post in that section) Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
ian pollington Posted April 10, 2007 Author Share Posted April 10, 2007 Sorry, can't even get to the forum - as soon as I click on the title page the browser shuts down! same happens if I enter hijacktjhis in a search engine - I don't have it loaded Ian Link to comment Share on other sites More sharing options...
Moderators rridgely Posted April 10, 2007 Moderators Share Posted April 10, 2007 Hello, please follow the below instructions. Since your having problems accessing the other parts of the forum just post the log in this topic. Download ComboScan to your Desktop Close all applications and windows. Double-click on comboscan.exe to run it, and follow the prompts. The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt A folder Comboscan will also open which contains the Comboscan.txt and a Supplementary.txt. Copy and paste the contents of ComboScan.txt in your next reply. Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus) Link to comment Share on other sites More sharing options...
Humpty Posted April 10, 2007 Share Posted April 10, 2007 This is the second time I've seen a seemingly specific CCleaner/Hijackthis malware. Anyone know it's origins or is it just another XP myth. Same thing? Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted April 10, 2007 Moderators Share Posted April 10, 2007 Not a myth unfortunately Humpty http://forum.piriform.com/index.php?showtopic=9584 and here http://forum.piriform.com/index.php?showtopic=9527 Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
ian pollington Posted April 10, 2007 Author Share Posted April 10, 2007 Hi, Downloaded the file OK and started running but at 12% a message flashed up on the screen - difficult to catch but I think it was something about never having run hijackthis. Comboscan closed and no logs in the folder. Shall I follow the instructions in the links in the replies to the mail below? Thanks Ian Link to comment Share on other sites More sharing options...
Humpty Posted April 10, 2007 Share Posted April 10, 2007 Hi ian, I think you should wait for rridgely to come back online as he is one of the resident experts. No harm in looking though. Link to comment Share on other sites More sharing options...
AndyManchesta Posted April 10, 2007 Share Posted April 10, 2007 Hi Ian Please can you start with this Goto Start Menu > Run > and copy and paste cmd /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s>%systemdrive%\Result.txt && notepad %systemdrive%\Result.txt Press OK and it will export some information from your registry and save it to a text file named Result.txt which will save to C:\ and also open in Notepad, please post the contents of that file back on here I suspect you have a variant of the gromozon rootkit and a linkoptimizer trojan, we can deal with the gromozon part abit later if its present but its the linkoptimizer trojan that is likely causing the problems, it hooks to explorer using a reg entry and changes permissions on the reg value and file so even Admin users cannot remove it, if you type CCleaner in Start > Run or Browsers then explorer will crash, same for other tools like HijackThis, even moving the mouse over the icon will crash explorer without you clicking it so this trojan matches what you are describing, If anything removes the trojan file then you will not be able to restart explorer.exe (no desktop icons or start menu) but I will explain that in more detail after seeing the results from the above command, Cheers Andy Link to comment Share on other sites More sharing options...
ian pollington Posted April 11, 2007 Author Share Posted April 11, 2007 Andy, Sorry for the delay - been working today! This is the contents of result.txt Thanks Ian ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe ApplicationGoo REG_BINARY 140200001002000000020000900434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000007000B000000000007000B0000003F000000020000000400010001000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000904E404F0030000010053007400720069006E006700460069006C00650049006E0066006F000000CC03000001003000340030003900300034004500340000004A001900010043006F006D006D0065006E007400730000004300720079007300740061006C002000530051004C002000440065007300690067006E0065007200200037002E0030000000000088003400010043006F006D00700061006E0079004E0061006D006500000000005300650061006700610074006500200053006F00660074007700610072006500200049006E0066006F0072006D006100740069006F006E0020004D0061006E006100670065006D0065006E0074002000470072006F00750070002C00200049006E0063002E000000AE00450001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000280063002900200031003900390031002D003100390039001000000000000000 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE DisableHeapLookAside REG_SZ 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Debugger REG_SZ "c:\windows\system32\fmomtuqu.old" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe ApplicationGoo REG_BINARY 5409000054020000000200008C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000200A8112E0400000200A8112E0400003F000000200000000400000001000000000000000000000000000000EC020000010053007400720069006E006700460069006C00650049006E0066006F000000C8020000010030003000300030003000340062003000000038001000010043006F006D006D0065006E007400730000004F007200690067006E0061006C002000560065007200730069006F006E00000042001100010043006F006D00700061006E0079004E0061006D006500000000005300410050002000410047002C002000570061006C006C0064006F0072006600000000005A0019000100460069006C0065004400650073006300720069007000740069006F006E00000000005300410050002000460072006F006E00740065006E006400200066006F0072002000570069006E0064006F0077007300000000003C000E000100460069006C006500560065007200730069006F006E000000000034003500320030002E0032002E0030002E003100300037003000000032000900010049006E007400650072006E0061006C004E0061006D0065000000460045005700460052004F004E005400000000007A002B0001004C006500670061006C0043006F007000790072006900670068000200000000000000010000004C0000003CFD0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006B00200033000000230054020000000200008C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE0000010003009E112604000003009E11260400003F000000200000000400000001000000000000000000000000000000EC020000010053007400720069006E006700460069006C00650049006E0066006F000000C8020000010030003000300030003000340062003000000038001000010043006F006D006D0065006E007400730000004F007200690067006E0061006C002000560065007200730069006F006E00000042001100010043006F006D00700061006E0079004E0061006D006500000000005300410050002000410047002C002000570061006C006C0064006F0072006600000000005A0019000100460069006C0065004400650073006300720069007000740069006F006E00000000005300410050002000460072006F006E00740065006E006400200066006F0072002000570069006E0064006F0077007300000000003C000E000100460069006C006500560065007200730069006F006E000000000034003500310030002E0033002E0030002E003100300036003200000032000900010049006E007400650072006E0061006C004E0061006D0065000000460045005700460052004F004E005400000000007A002B0001004C006500670061006C0043006F007000790072006900670068000200000000000000010000004C0000003CFD0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006B0020003300000023005402000000020000200334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE0000010000000400F003000000000400F00300003F0000000000000004000100010000000000000000000000000000007E020000010053007400720069006E006700460069006C00650049006E0066006F0000005A02000001003000340030003900300034004500340000002E000700010043006F006D00700061006E0079004E0061006D00650000000000530041005000200041004700000000005A0019000100460069006C0065004400650073006300720069007000740069006F006E00000000005300410050002000460072006F006E00740065006E006400200066006F0072002000570069006E0064006F00770073000000000036000B000100460069006C006500560065007200730069006F006E000000000034002E0030002E0030002E003100300030003800000000002C000600010049006E007400650072006E0061006C004E0061006D0065000000460052004F004E00540000005E001D0001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000A900200031003900390033002D0031003900390037002000530041005000200041004700000000002800000001004C006500670061006C0054007200610064000200000000000000010000004C0000003CFD0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006B0020003300000023005402000000020000180334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE0000010000000400DD03000000000400DD0300003F00000000000000040001000100000000000000000000000000000078020000010053007400720069006E006700460069006C00650049006E0066006F0000005402000001003000340030003900300034004500340000002E000700010043006F006D00700061006E0079004E0061006D00650000000000530041005000200041004700000000005A0019000100460069006C0065004400650073006300720069007000740069006F006E00000000005300410050002000460072006F006E00740065006E006400200066006F0072002000570069006E0064006F00770073000000000034000A000100460069006C006500560065007200730069006F006E000000000034002E0030002E0030002E0039003800390000002C000600010049006E007400650072006E0061006C004E0061006D0065000000460052004F004E00540000005E001D0001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000A900200031003900390033002D0031003900390037002000530041005000200041004700000000002800000001004C006500670061006C00540072006100640065006D000200000000000000010000004C0000003CFD0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006B002000330000002300 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe ApplicationGoo REG_BINARY 5802000054020000000200006C0734000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100050005000700A807050005000700A8073F000000000000000400040001000000000000000000000000000000CC060000010053007400720069006E006700460069006C00650049006E0066006F00000054030000010030003400300039003000340042003000000018000000010043006F006D006D0065006E007400730000004C001600010043006F006D00700061006E0079004E0061006D006500000000004D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000680020000100460069006C0065004400650073006300720069007000740069006F006E00000000004D006900630072006F0073006F00660074002000450078006300680061006E00670065002000530065007200760065007200200053006500740075007000000036000B000100460069006C006500560065007200730069006F006E000000000035002E0035002E0031003900360030002E003700000000002C000600010049006E007400650072006E0061006C004E0061006D00650000005300650074007500700000009C003C0001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020000200000000000000010000004C0000003CFD0600050000000000000065050000020000000300000002000000530065007200760069006300650020005000610063006B002000340000002300 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe ApplicationGoo REG_BINARY 580200005402000000020000440234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100010001000C000000010001000C00000000000000000000000400000001000000000000000000000000000000440000000000560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000904B004A4010000010053007400720069006E006700460069006C00650049006E0066006F00000080010000010030003400300039003000340042003000000040002000010043006F006D00700061006E0079004E0061006D00650000000000440065004C006F0072006D00650020004D0061007000700069006E0067000000440022000100500072006F0064007500630074004E0061006D006500000000005200650067002000280044004C0069006200620079005C006D0073006600290000000000340014000100460069006C006500560065007200730069006F006E000000000031002E00300031002E0030003000310032000000380014000100500072006F006400750063007400560065007200730069006F006E00000031002E00300031002E003000300031003200000034001200010049006E007400650072006E0061006C004E0061006D00650000004D004E00470052004500470033003200000000000200000000000000010000004C0000003CFD0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006B002000330000002300 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE GlobalFlag REG_SZ 0x00200000 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE GlobalFlag REG_SZ 0x00200000 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE DisableHeapLookAside REG_SZ 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE DisableHeapLookAside REG_SZ 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe ApplicationGoo REG_BINARY 140200001002000000020000B40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100350007000000000035000700000000003F00000000000000040000000100000000000000000000000000000012020000010053007400720069006E006700460069006C00650049006E0066006F000000EE010000010030003400300039003000340062003000000042001100010043006F006D00700061006E0079004E0061006D00650000000000500065006F0070006C00650053006F00660074002C00200049006E0063002E0000000000280000000100460069006C0065004400650073006300720069007000740069006F006E00000000002A0005000100460069006C006500560065007200730069006F006E000000000037002E0035003300000000009C003C0001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000A900200031003900380038002D0031003900390038002000500065006F0070006C00650053006F00660074002C00200049006E0063002E002000200041006C006C00200052006900670068007400730020005200650073006500720076006500640000003C000A0001004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000007000730064006D0074002E001000000000000000 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE DisableHeapLookAside REG_SZ 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE DisableHeapLookAside REG_SZ 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe ApplicationGoo REG_BINARY 000700005402000000020000840734000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100050005000700A807050005000700A8073F000000000000000400040001000000000000000000000000000000E4060000010053007400720069006E006700460069006C00650049006E0066006F00000060030000010030003400300039003000340042003000000018000000010043006F006D006D0065006E007400730000004C001600010043006F006D00700061006E0079004E0061006D006500000000004D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000680020000100460069006C0065004400650073006300720069007000740069006F006E00000000004D006900630072006F0073006F00660074002000450078006300680061006E00670065002000530065007200760065007200200053006500740075007000000036000B000100460069006C006500560065007200730069006F006E000000000035002E0035002E0031003900360030002E003700000000002C000600010049006E007400650072006E0061006C004E0061006D00650000005300650074007500700000009E003D0001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020000200000000000000010000004C0000003CFD0600050000000000000065050000020000000000000000000000530065007200760069006300650020005000610063006B0020003300000024005402000000020000A40834000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100050005000700A807050005000700A8073F00000000000000040004000100000000000000000000000000000004080000010053007400720069006E006700460069006C00650049006E0066006F000000F0030000010030003400300039003000340042003000000018000000010043006F006D006D0065006E007400730000004C001600010043006F006D00700061006E0079004E0061006D006500000000004D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000680020000100460069006C0065004400650073006300720069007000740069006F006E00000000004D006900630072006F0073006F00660074002000450078006300680061006E00670065002000530065007200760065007200200053006500740075007000000036000B000100460069006C006500560065007200730069006F006E000000000035002E0035002E0031003900360030002E003700000000002C000600010049006E007400650072006E0061006C004E0061006D0065000000530065007400750070000000A600410001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020000200000000000000010000004C0000003CFD0600050000000000000065050000020000000000000000000000530065007200760069006300650020005000610063006B0020003300000024005402000000020000180434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100050005000700A807050005000700A8073F00000000000000040004000100000000000000000000000000000078030000010053007400720069006E006700460069006C00650049006E0066006F00000054030000010030003400300039003000340042003000000018000000010043006F006D006D0065006E007400730000004C001600010043006F006D00700061006E0079004E0061006D006500000000004D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000680020000100460069006C0065004400650073006300720069007000740069006F006E00000000004D006900630072006F0073006F00660074002000450078006300680061006E00670065002000530065007200760065007200200053006500740075007000000036000B000100460069006C006500560065007200730069006F006E000000000035002E0035002E0031003900360030002E003700000000002C000600010049006E007400650072006E0061006C004E0061006D00650000005300650074007500700000009A003B0001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020000200000000000000010000004C0000003CFD0600050000000000000065050000020000000000000000000000530065007200760069006300650020005000610063006B002000330000002400 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll ApplicationGoo REG_BINARY 140200001002000000020000040334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001C0008000000000000000800000000003F00000000000000040000000100000000000000000000000000000064020000010053007400720069006E006700460069006C00650049006E0066006F00000040020000010030003400300039003000340062003000000044001200010043006F006D00700061006E0079004E0061006D0065000000000043006F00720065006C00200043006F00720070006F0072006100740069006F006E0000004E0013000100460069006C0065004400650073006300720069007000740069006F006E000000000043006F00720065006C002000530065007400750070002000570069007A00610072006400000000002C0006000100460069006C006500560065007200730069006F006E000000000038002E00300032003800000046001300010049006E007400650072006E0061006C004E0061006D006500000043006F00720065006C002000530065007400750070002000570069007A00610072006400000000006C00240001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000A900200031003900390037002C00200043006F00720065006C00200043006F00720070006F0072000800000000000000 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe ApplicationGoo REG_BINARY 140200001002000000020000380334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE0000010002000A0001000A0002000A0001000A000000000000000000040001000100000000000000000000000000000098020000010053007400720069006E006700460069006C00650049006E0066006F0000007402000001003000340030003900300034004500340000004A001500010043006F006D00700061006E0079004E0061006D00650000000000530079006D0061006E00740065006300200043006F00720070006F0072006100740069006F006E000000000060001C000100460069006C0065004400650073006300720069007000740069006F006E0000000000530079006D0061006E007400650063002000530079006D006500760065006E007400200049006E007300740061006C006C0065007200000034000A000100460069006C006500560065007200730069006F006E0000000000310030002E0032002E00310030002E003100000030000800010049006E007400650072006E0061006C004E0061006D006500000053004500560049004E005300540000007E002D0001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020002800430029002000530079006D0061006E00740065006300200043006F0072000100000000000000 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE DisableHeapLookAside REG_SZ 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE DisableHeapLookAside REG_SZ 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll CheckAppHelp REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE ApplicationGoo REG_BINARY 1402000010020000000200007C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000001000900260000000100090026003F000000000000000400000001000000000000000000000000000000DC020000010053007400720069006E006700460069006C00650049006E0066006F000000B8020000010030003400300039003000340062003000000066002700010043006F006D006D0065006E0074007300000042007500730069006E00650073007300200049006E00740065006C006C006900670065006E006300650020006F006E0020004500760065007200790020004400650073006B0074006F0070000000000048001400010043006F006D00700061006E0079004E0061006D0065000000000043006F0067006E006F007300200049006E0063006F00720070006F0072006100740065006400000060001C000100460069006C0065004400650073006300720069007000740069006F006E000000000043006F0067006E006F0073002000470065006E006500720069006300200049006E007300740061006C006C006100740069006F006E00000038000C000100460069006C006500560065007200730069006F006E000000000031002C00200030002C002000330038002C0020003900000030000800010049006E007400650072006E0061006C004E0061006D00650000000100000000000000 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger REG_SZ ntsd -d GlobalFlag REG_SZ 0x000010F0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE ApplicationGoo REG_BINARY 140200001002000000020000A40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000001000100000000000100010000003F00000000000000010001000100000000000000000000000000000004020000010053007400720069006E006700460069006C00650049006E0066006F000000E0010000010030003400300039003000340045003400000020000000010043006F006D00700061006E0079004E0061006D00650000000000580018000100460069006C0065004400650073006300720069007000740069006F006E000000000049004E005300540041004C004C0020004D004600430020004100700070006C00690063006100740069006F006E000000300008000100460069006C006500560065007200730069006F006E000000000031002E0030002E00300030003100000030000800010049006E007400650072006E0061006C004E0061006D006500000049004E005300540041004C004C0000002400000001004C006500670061006C0043006F00700079007200690067006800740000002800000001004C006500670061006C00540072006100640065006D00610072006B0073000000000040000C0001004F0072006900670069006E0061006C00460069006C0065006E0061006D006500000049004E005300540041004C004C002E004500580045000000300008000800000000000000 Link to comment Share on other sites More sharing options...
AndyManchesta Posted April 11, 2007 Share Posted April 11, 2007 Hi Ian HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exeDebugger REG_SZ "c:\windows\system32\fmomtuqu.old" There's the trojan, this is abit of a pain to manually remove as it does everything possible to protect itself, you cannot delete the file or reg entry as its removed all permissions to access them, if you reset the permissions on the reg key and delete it then the trojan will put it back instantly, if you remove the trojan file then explorer.exe will not be able to start because of the above reg entry and it targets alot of different tools. I put a small script together last time I tested this to remove it and fix the permissions which I will post below, I will also post some instructions for removing the reg key manually just incase its needed, please ask any questions you may have before proceeding Download LinkOptfix from Here and save it to your desktop Copy and paste these instructions to notepad and save it to your C:\drive incase you need to access it without using the start menu later To run the fix , double click LinkOptfix.exe and it will create a new folder on your desktop named LinkOptfix, open the newly created LinkOptfix folder and double click fix.bat, it will only take afew seconds to run, first it finds the filename, creates a backups folder, moves the file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions on its reg entry, removes the reg entry then resets the permissions on its file and then restarts explorer.exe, you should then be able to run HijackThis and post a log and also run CCleaner, if you can then ignore the rest of this post and reply so we can then check for the gromozon part of the infection. If you have problems and explorer.exe doesnt restart then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > Applications > New Task and click OK to open the registry editor, Click the [+] next to HKEY_LOCAL_MACHINE Click the [+] next to SOFTWARE Click the [+] next to Microsoft Click the [+] next to Windows NT Click the [+] next to Current Version Click the [+] next to Image File Execution Options Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart You should not need the manual instructions as the fixtool should remove it fine but its best to be safe and provide an alternative just incase its needed, Let me know if you have any problems or questions Cheers Andy Link to comment Share on other sites More sharing options...
ian pollington Posted April 11, 2007 Author Share Posted April 11, 2007 Andy, What a man! Fix worked and below is the hijackthis log that was generated almost immediately - one question, how did that sucker get in there? Thanks for your help on this and hope that no gromozone is also lurking! Ian Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 22:57:22, on 11/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Tanagra\Memeo\MemeoService.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE c:\program files\panda software\panda internet security 2007\WebProxy.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iRiver\HSeries\iHPDetect.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KVM.exe C:\Program Files\J River\Media Center 11\Media Center.exe C:\Program Files\Tanagra\Memeo\MemeoBackup.exe C:\PROGRA~1\Yahoo!\Common\unyt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Documents and Settings\ian\Desktop\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\seagate-helper.exe", O2 - BHO: (no name) - {00000000-6C30-11D8-9363-000AE6309654} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {21B5274C-4950-A739-CFDE-34197B9D4B81} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file) O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Startup: KVM.exe O4 - Startup: Media Server.lnk = C:\WINDOWS\SYSTEM32\MC11.exe O4 - Startup: Memeo Launcher.lnk = ? O4 - Global Startup: KVM.exe O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121933000156 O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Memeo (BMUService) - Tanagra, Inc. - C:\Program Files\Tanagra\Memeo\MemeoService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe O23 - Service: Panda Network Manager (PNMSRV) - Unknown owner - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe O23 - Service: Panda TPSrv (TPSrv) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe -- End of file - 12896 bytes Link to comment Share on other sites More sharing options...
AndyManchesta Posted April 11, 2007 Share Posted April 11, 2007 Nice work Ian There's another trojan showing in the log but I guess its all part of the same infection, this one is hooking to userinit.exe to make sure its always running but with it not being in the running processes it may of already been removed from your system, regarding where its coming from I really do not know, it maybe dropped by an exploit script written into a malicious webpage but If you have all the updates from Windows installed and you dont have any older versions of Java still on the system then I doubt that would be the cause. Nice to see it went without a fight though, you can delete the LinkOptFix folder now as it contains a copy of the trojan file. Download the Gromozon remover from here http://www.prevx.com/gromozon.asp If you cannot download it for any reason let me know and I'll upload it into the thread, run the tool and follow the prompts, when its finished it will create a logfile in C:\ named Gromozon_removal.log, please post the contents of that file back on here. Click No if it prompts you to install Prevx as its only a trial version which isnt needed here. It maybe easier to copy and paste this to notepad and saving it as all browser windows need closing when fixing the entries Run Hijack This and choose Do A System Scan then place a check next to these entries R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\seagate-helper.exe", O2 - BHO: (no name) - {00000000-6C30-11D8-9363-000AE6309654} - (no file) O2 - BHO: (no name) - {21B5274C-4950-A739-CFDE-34197B9D4B81} - (no file) O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file) O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - Close all open browser and other windows except for Hijack This and press the Fix Checked button Can you set Windows to show hidden files and folders Click Start. Goto MyComputer then C:\drive Select the Tools menu from the top bar and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". UnCheck the "Hide protected operating system files (recommended)" option. Click Yes to confirm then OK Set this back once you have checked for the file by opening the same page and pressing the Restore Defaults button the click Apply and OK. Check if this file still exists c:\windows\seagate-helper.exe If it does please have it scanned at VirusTotal as its clearly a trojan with it hooking to userinit.exe Visit VirusTotal and have this file scanned: c:\windows\seagate-helper.exe Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, copy and paste the Virus scan results back and let us know if the file doesnt exist after setting Windows to show hidden and system files Finally download AVG Anti-Spyware Load AVG and then click the Update tab at the top. Under Manual Update click Start update. After the update finishes (the status bar at the bottom will display "Update successful") Click on the Scanner tab at the top and then click on Complete System Scan AVG will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG will then display "All actions have been applied" on the right. Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back Please then post back the Gromozon remover log, VirusTotal results if the file exists, AVG log and a new HijackThis log Thanks Andy Link to comment Share on other sites More sharing options...
ian pollington Posted April 12, 2007 Author Share Posted April 12, 2007 Andy, All seems to have worked fine, thank you so much! The only issue that I can see is seagate-helper is still there but as .old - it can't be deleted though, access denied. Sorry that you have so much to look at now! Thanks again Ian Gromozon Log Removal tool loaded into memory ------------------------------------ Executing rootkit removal engine.... ------------------------------------ Disabling rootkit file: \\?\C:\WINDOWS\system32\aux.pzq \\?\C:\WINDOWS\system32\aux.pzq Resetting file permissions... Clearing attributes... Removing file... Rootkit removed! Cleaning up... Removing temp files... Scanning: C:\WINDOWS Scanning: C:\Program Files\Common Files Gromozon-Related Malicious Code Detected! FileName: C:\WINDOWS\abypu1.dll Removed! Trojan.Gromozon Removed! Forgot to save the log but here is the event log from AVG <history> - <!-- 01c77cfd19bd3970 --> - <rec time="2007/04/12 08:08:42" user="SYSTEM" source="Update"> <value>@HL_UpdateOK</value> <attr name="version">avi:993-991;iavi:767-760;</attr> </rec> - <rec time="2007/04/12 08:09:41" user="ian" source="General"> <value>@HL_TestStarted</value> <attr name="testname">@TestName_02</attr> </rec> - <rec time="2007/04/12 08:37:19" user="ian" source="Virus"> <value>@HL_ReportFind</value> <attr name="where">C:\Program Files\Max Registry Cleaner\Backup\14 10 2006 09-20-46[46.tmp].dat</attr> <attr name="type">@EID_Id_trj</attr> <attr name="what">Generic2.ETZ</attr> </rec> - <rec time="2007/04/12 09:05:28" user="ian" source="Virus"> <value>@HL_ReportFind</value> <attr name="where">C:\WINDOWS\SYSTEM32\eicj.dll</attr> <attr name="type">@EID_Id_trj</attr> <attr name="what">Generic2.ETZ</attr> </rec> - <rec time="2007/04/12 10:38:17" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\System Volume Information\_restore{812104D2-B324-45C4-AB58-E2123BB7043B}\RP21\A0001515.dll</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Lop.AH</attr> </rec> - <rec time="2007/04/12 10:38:17" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\System Volume Information\_restore{812104D2-B324-45C4-AB58-E2123BB7043B}\RP21\A0001515.dll</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Lop.AH</attr> </rec> - <rec time="2007/04/12 10:38:39" user="ian" source="Virus"> <value>@HL_ActionTaken</value> <attr name="filename">C:\System Volume Information\_restore{812104D2-B324-45C4-AB58-E2123BB7043B}\RP21\A0001515.dll</attr> <attr name="action">@HL_ActCleaned</attr> </rec> - <rec time="2007/04/12 10:38:53" user="ian" source="General"> <value>@HL_TestStarted</value> <attr name="testname">@TestName_02</attr> </rec> - <rec time="2007/04/12 11:10:35" user="ian" source="Virus"> <value>@HL_ReportFind</value> <attr name="where">C:\Program Files\Max Registry Cleaner\Backup\14 10 2006 09-20-46[46.tmp].dat</attr> <attr name="type">@EID_Id_trj</attr> <attr name="what">Generic2.ETZ</attr> </rec> - <rec time="2007/04/12 11:39:40" user="ian" source="Virus"> <value>@HL_ReportFind</value> <attr name="where">C:\WINDOWS\SYSTEM32\eicj.dll</attr> <attr name="type">@EID_Id_trj</attr> <attr name="what">Generic2.ETZ</attr> </rec> - <rec time="2007/04/12 11:39:41" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\WINDOWS\SYSTEM32\eicj.dll</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic2.ETZ</attr> </rec> - <rec time="2007/04/12 11:40:26" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\WINDOWS\SYSTEM32\eicj.dll</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic2.ETZ</attr> </rec> - <rec time="2007/04/12 11:40:27" user="ian" source="Virus"> <value>@HL_ActionTaken</value> <attr name="filename">C:\WINDOWS\SYSTEM32\eicj.dll</attr> <attr name="action">@HL_ActCleaned</attr> </rec> - <rec time="2007/04/12 12:21:30" user="ian" source="General"> <value>@HL_TestEnded</value> <attr name="testname">@TestName_02</attr> <attr name="infectedfiles">2</attr> </rec> - <rec time="2007/04/12 12:21:31" user="ian" source="Virus"> <value>@HL_ActionTaken</value> <attr name="filename">C:\Program Files\Max Registry Cleaner\Backup\14 10 2006 09-20-46[46.tmp].dat</attr> <attr name="action">@HL_ActCleaned</attr> </rec> - <rec time="2007/04/12 12:21:31" user="ian" source="Virus"> <value>@HL_ActionTaken</value> <attr name="filename">C:\WINDOWS\SYSTEM32\eicj.dll</attr> <attr name="action">@HL_ActCleaned</attr> </rec> </history> HijackThis log Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 16:57:31, on 12/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Tanagra\Memeo\MemeoService.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\iRiver\HSeries\iHPDetect.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KVM.exe C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE c:\program files\panda software\panda internet security 2007\WebProxy.exe C:\Program Files\Tanagra\Memeo\MemeoBackup.exe C:\Program Files\J River\Media Center 11\Media Center.exe C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\ian\Desktop\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Startup: KVM.exe O4 - Startup: Media Server.lnk = C:\WINDOWS\SYSTEM32\MC11.exe O4 - Startup: Memeo Launcher.lnk = ? O4 - Global Startup: KVM.exe O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121933000156 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Memeo (BMUService) - Tanagra, Inc. - C:\Program Files\Tanagra\Memeo\MemeoService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe O23 - Service: Panda Network Manager (PNMSRV) - Unknown owner - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe O23 - Service: Panda TPSrv (TPSrv) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe -- End of file - 12034 bytes Link to comment Share on other sites More sharing options...
AndyManchesta Posted April 12, 2007 Share Posted April 12, 2007 Cheers Ian, No problem regarding the help, this is quite a new infection so getting any information on it or samples of additional files is really helpful so we can get them sent to Antivirus companies and also find easier ways of dealing with it each time it shows up, 1. Please download The Avenger by Swandog46 to your Desktop Click on Avenger.zip to open the file Extract avenger.exe to your desktop 2. Copy all of the text contained in the code box below (making Files to delete: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C): Files to Delete:c:\windows\seagate-helper.exec:\windows\seagate-helper.old 3. Now, start The Avenger program by clicking on its icon on your desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" Paste the text copied to clipboard into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: It will Restart your computer. On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply Next download RegSearch by Bobbi Flekman from Here Download and extract the contents of the zip file. Double-click the icon for RegSearch.exe to launch the program. Enter seagate-helper (in the first open box) to search for and click "OK". After its finished notepad will open and show any found instances of seagate-helper in the registry, the results are also saved in the same location as RegSearch.exe. Please post that back on here There's a couple of optional fixes showing in HijackThis but its fine if you want to leave them, R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ The above entry is from Yahoo but you can see from the address that the system is being redirected through red.clientapps before going to the Yahoo site, red.clientapps is Red Sheriff and a form of spyware, Although its probably nothing nasty it can be fixed to return it to Microsoft's default SearchURL, Here's some info on Red Sheriff. O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u dumprep.exe is Microsoft's fault logging software. Once errors happen on the system this program will write the details to a text file and request the information be sent to Microsoft, it should remove itself from the run key but Ive noticed its present in both logs so the entry can be fixed if it remains after another reboot. You should really avoid having more than one Antivirus program installed as they use alot of system resources and having two providing protection can cause alot of problems on the system such as false virus alerts, crashes, slowdowns and even make the system more likely to get a trojan infection if they are conflicting with each other. If Panda and AVG are both providing real time monitoring then you should consider uninstalling or disabling the real time protection on one and only using it as a 'on-demand' scanner which you start and stop manually so there is only one Antivirus program starting with Windows and providing protection to prevent any problems, Can you check your Add/Remove screen (Start Menu > Control Panel > Add or Remove programs) for any older versions of Java (J2SE Runtime Environment) , its common for them to leave older versions behind when it updates which can take up alot of space and some of them are vulnerable to certain infections, ignore 1.6.0_01 but remove any other versions that maybe present, Please then post back the Avenger log and the Regsearch log and we can see if this remaining trojan was removed, Cheers Andy Link to comment Share on other sites More sharing options...
ian pollington Posted April 12, 2007 Author Share Posted April 12, 2007 Andy, The two logs are below. The failure to find helper .exe is fine, I knew it had gone but maybe worded my reply badly - however I am sure I remember trying to find out about this file a long while ago as I had noticed it and didn't know what it was doing there. If I remember how far back I'll let you know! I checked the two files in Hijackthis, had already removed old java stuff and will probably keep Panda as I've paid for it! Thanks Ian Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\yjtcrnvb ******************* Script file located at: \??\C:\iiquwycx.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File c:\windows\seagate-helper.exe not found! Deletion of file c:\windows\seagate-helper.exe failed! Could not process line: c:\windows\seagate-helper.exe Status: 0xc0000034 File c:\windows\seagate-helper.old deleted successfully. Completed script processing. ******************* Finished! Terminate. Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman ? 2005 ; Version: 2.0.2.0 ; Results at 12/04/2007 23:13:52 for strings: ; 'seagate-helper' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log... Link to comment Share on other sites More sharing options...
AndyManchesta Posted April 12, 2007 Share Posted April 12, 2007 Hi Ian, Thanks for the logs, Its nice to see seagate-helper hasnt got any additional registry entries except for the userinit hook that we fixed earlier, I didn't think the .exe would be found after reading your earlier post but thought we may as well include it while we were deleting the .old file, can you please upload the avenger backups for me so I can have a closer look at the seagate file Please visit SpyKillers forum here http://www.thespykiller.co.uk/index.php?board=1.0 Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'File For AndyManchesta' , please then post a link to this thread and upload the C:\avenger\backup.zip folder, The logs are looking good but with you having had a rootkit infection its best to run a couple of final scans to make sure there is no remaining issues then we can clear up the system restore points once we know the machine is clean. Download Blacklight beta HERE and save it to your desktop. Run the program, accept statement > click next then scan When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file. Finally run Kaspersky WebScanner Please go HERE and click Kaspersky Online Scanner Read and Accept the Agreement You will be promted to install an ActiveX component from Kaspersky, Click Yes. If you see a Windows dialog asking if you want to install this software, click the Install button. The program will launch and then begin downloading the latest definition files, When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it. Click on the Scan Settings button, and in the next window select the Extended database, and click Ok. Under "Please select a target to scan:", click My Computer to start the scan. When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window. Please the post back the Kaspersky log and the Blacklight log, let me know if there's any problems Regards Andy Link to comment Share on other sites More sharing options...
ian pollington Posted April 13, 2007 Author Share Posted April 13, 2007 Andy, The two logs you wanted - nothing found on Blacklight ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, April 13, 2007 1:48:53 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 13/04/2007 Kaspersky Anti-Virus database records: 296918 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan Statistics: Total number of scanned objects: 172152 Number of viruses found: 1 Number of infected objects: 1 / 0 Number of suspicious objects: 0 Duration of the scan process: 04:56:07 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeysf0e89a62ca4fa3835b90ef6b7bd4df_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys37ab47582002a4723fcc079829f368f_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys913ce832ec8c340e2b74f1b869c0988_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeysad38d35eb1d4890c0ce53fa646f924f_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeysc1349b20170b80cf733044dfa7f44f8_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeysc46c3209772caebd3e031f7ecb45851_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeyscbfe496ed17cbf128249992755dc5d6_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\133c740c29cc859120f169b921c329bc_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c3f22b2bff3a633fc8cadd6e75068d7_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c713628113dbe1fd6bd1adf33bd57d8_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2044487bd658375ee3a9faf5a0816fe2_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\214100beb808401030ef77c9643189f2_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2379dd8f08b82dcd33303d7945fab5c4_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\23ab0e5c17c166c468709513f2213a4b_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\288f6703139ff4bd2dd85e4b84e2b5ff_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\28f5dd96cff6d1e16db7b2dbcd536d7f_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\29f7c0b9ab8afb1356bfe6ef7180c735_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ce1eb49aa20b5f7abe94052329979cf_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2d8b533a251a8b01a79a4f2d020915a3_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2e0a05ba4a3321b6802991f1c31a5fd5_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\319836474369d39538f1eb5cd785de9f_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35d795e566ab36f5349389d99e9735e6_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\37d1ef419f3f09ad8a86218622b61f99_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3a91b5c96206b87ee20b839b5ef56c95_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3c6d4b2d417a5b0d2b6e4eace62785af_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e8e2ee62e99128b4e133c3b81f53cd1_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\444301658548ff658fa424d3eb6c4411_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\45db6bf08502f5c3a4db74f3bdc318ab_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\47041786809a1db42a456783c5ef691b_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4791ce2ac1becf6219a0b8961ce87608_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4bea10fe3c22800848ee031e96c1729f_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\513d6cb6850f2940329648925e0279f2_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\51f7f611f327b0f6630ac7139b0bcd00_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\533e5333ed1dd84b56820015d0266433_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\578f6e766b10f03f260b85fdabe63c06_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5a522f4858b502b30b718424c3b356ed_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5bb236aeca48833912e1688b8925ec5a_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5c9a9f572b34e520dc152410f250334f_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d44eafbaf1fd1f8c85ad5dc5e60d140_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6169bb98acc76b48b7530b3d1c6d4471_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62b70c652fbf07b25b36bebba1ebdc69_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\63e5aeded14bfd02cc7497aa97484275_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\64e1b80d925e7b68c63abc965d7fbb37_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\64f96a337ef3a51f39150963e32f69e3_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\695e1aec2af96b7354628cbcdcfcf0ef_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b4ec7e394e32ae1bf6f249d430b37af_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b87cc373324ee2041f74ed4c98c3eee_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6cb1a873c4fcedd7d40c88798fc56eed_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6cdd85916a827226094df2c2fe3412b9_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6e8a412c2bef7727bcf3110f7c0867f1_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\731cd60982a690ccc5f58a740a2045ae_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\736096817012065d64b49ca8048a6428_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7676340b247bbc06728cfdc6e3c7c622_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\76cfe43824ab6c1d409c82db1f178c57_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\78362caa24984809001eadbf10e87cdd_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\797328b7e4c54a7ef2ae4c8148e69b9b_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\828346bc81b110e22732b5dd6eaee122_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\85c7905ca5bf77b2fe79a77d8f18dc92_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\87c301eace576a9e2d9513b230751475_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8864d58f77066b809229268b23fbd264_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\89971915b5a9c21357a4ad4a1d7a14e5_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8adeb2add0481bd7a445b0737ead2784_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8ea3b3d05fcf0dc3466f3fde4fa76de1_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9159895eb2ba052089ba7844b0b1a026_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\91e3a955e9902848a14892e8d5d0cbc3_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9227c8bd037455b81000a373bd50fa4c_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\98f7ee1fd5e2ded1f29e5d732c23ce64_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\998c91b5a5c565274e4644ad8bb678df_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9db4f380a5f7c0e727100dee8a62f773_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9dba2a7ae119ebe3679faccc657e3142_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a961e995b6363995e268a9ed534439e6_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aaaa9fe4845b0cf042c03a3e331d656e_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ac459481a250bdc7c146e057cf4656f5_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b2209291dc7a8e6929ebcbdb7584d090_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bb2ee7f294323d5a513cb229baa2b3bd_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bb4785d50193c1d3cf1fcee837726c53_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\be3e440ea681980047ad0c0b0e540bf2_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\beb7a46a194452516bf22884b336d3b5_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf55faa37ef4ef838e1601d42efbd804_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c1447f9b14b29f004fabdeb55d234581_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c2445e52eba188199c1cfe9cb1e09950_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c4014b553029882102a7a630673692b0_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c491821114d1f2782355a2a79a6763e4_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c4ed1c168694e821400088342e32ae8b_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ca347acbbcce7e8968bf2993bcc94463_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cb5b5d8fb60f3e52d2ac92335e794fd7_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf26eea531fdc90fe0c75fe8c6c5df9c_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d27c7f9d18ac371fed57f2c1962f2c58_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d553e1f99d518c1ddf903a9d7de514bd_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d67765e7173d0d098a07bc29199e0b88_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d8714a2dc829471b2224c058be38c784_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d907f27a7b2591cab7b907e2f87ba31b_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\da276b89634bf5cdb14bb92650c77f17_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\de20122d2320f2cbf691c3d9eecb8d49_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\df01e725ad7f64e17f93d395e5a1f87b_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e0dd0b89bb584d6358c5258f6748c21c_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e23710c94953a2dc973c459891224f15_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e384f9d162d5fd197c90c47131bbcd06_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e62c7b95e38f1b6c6a3ab3de3356eee9_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e69745cea656e36948955badcec02cf5_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e6f06edf1dad19a844fcbb6b7e461140_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e8b2cda46da5336b89335fa218607905_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ec07bb49ef2750f7dde6f72ac4f58c36_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ecdd74f7a51554ad013762046fadc885_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f2539e0a2a76e8be61bb113f19cba52e_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f2d5156e8c83c017e04ca5e36e3ceaa8_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f838b423c47846a0f3e74fafb5c2b0b3_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f90120b44d8e108af70828589c7333e9_bda725c4-319a-4d7f-acf3-1dfdcec94d92 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12062006-064806.log Object is locked skipped C:\Documents and Settings\ian\Application Data\J River\Media Center 11\Library\view state (data).jmd Object is locked skipped C:\Documents and Settings\ian\Application Data\J River\Media Center 11\Thumbnails\{62734696-FEFE-420E-9AF8-6E368CE15D73}\Normal (v3)\Thumbnails.jmd Object is locked skipped C:\Documents and Settings\ian\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped C:\Documents and Settings\ian\Application Data\Mozilla\Firefox\Profiles\default.fna\cert8.db Object is locked skipped C:\Documents and Settings\ian\Application Data\Mozilla\Firefox\Profiles\default.fna\formhistory.dat Object is locked skipped C:\Documents and Settings\ian\Application Data\Mozilla\Firefox\Profiles\default.fna\history.dat Object is locked skipped C:\Documents and Settings\ian\Application Data\Mozilla\Firefox\Profiles\default.fna\key3.db Object is locked skipped C:\Documents and Settings\ian\Application Data\Mozilla\Firefox\Profiles\default.fna\parent.lock Object is locked skipped C:\Documents and Settings\ian\Application Data\Mozilla\Firefox\Profiles\default.fna\search.sqlite Object is locked skipped C:\Documents and Settings\ian\Application Data\Mozilla\Firefox\Profiles\default.fna\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\ian\Cookies\index.dat Object is locked skipped C:\Documents and Settings\ian\Local Settings\Application Data\ApplicationHistory\MemeoBackup.exe.bde7ef1c.ini.inuse Object is locked skipped C:\Documents and Settings\ian\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped C:\Documents and Settings\ian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\ian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\ian\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{698E7E69-7ECA-4A3A-848E-07845D7B065C} Object is locked skipped C:\Documents and Settings\ian\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.fna\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\ian\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.fna\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\ian\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.fna\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\ian\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.fna\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\ian\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\ian\NTUSER.DAT Object is locked skipped C:\Documents and Settings\ian\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\My Documents\Outlook.pst Object is locked skipped C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\MshConf\scoffset.bin.incr Object is locked skipped C:\Program Files\Panda Software\Panda Internet Security 2007\PSK_NAMES2_3 Object is locked skipped C:\Program Files\Panda Software\Panda Internet Security 2007\PSK_NAMES_3 Object is locked skipped C:\Program Files\Tanagra\Memeo\MemeoBackup.exe.log-2007-4-13.log Object is locked skipped C:\Program Files\Tanagra\Memeo\MemeoService.exe.log-2007-4-13.log Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{812104D2-B324-45C4-AB58-E2123BB7043B}\RP22\A0001569.dll Object is locked skipped C:\System Volume Information\_restore{812104D2-B324-45C4-AB58-E2123BB7043B}\RP22\A0001613.old Infected: Trojan.Win32.Small.kl skipped C:\System Volume Information\_restore{812104D2-B324-45C4-AB58-E2123BB7043B}\RP25\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{5564CB09-9660-499E-9C2A-586916A50DD7}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\config\default Object is locked skipped C:\WINDOWS\SYSTEM32\config\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped C:\WINDOWS\SYSTEM32\config\sam Object is locked skipped C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\config\security Object is locked skipped C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\config\software Object is locked skipped C:\WINDOWS\SYSTEM32\config\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\config\system Object is locked skipped C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped G:\System Volume Information\_restore{812104D2-B324-45C4-AB58-E2123BB7043B}\RP25\change.log Object is locked skipped H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped H:\System Volume Information\_restore{812104D2-B324-45C4-AB58-E2123BB7043B}\RP25\change.log Object is locked skipped I:\System Volume Information\_restore{812104D2-B324-45C4-AB58-E2123BB7043B}\RP25\change.log Object is locked skipped Scan process completed. 04/13/07 07:40:14 [info]: BlackLight Engine 1.0.61 initialized 04/13/07 07:40:14 [info]: OS: 5.1 build 2600 (Service Pack 2) 04/13/07 07:40:14 [Note]: 7019 4 04/13/07 07:40:14 [Note]: 7005 0 04/13/07 07:40:19 [Note]: 7006 0 04/13/07 07:40:19 [Note]: 7011 3932 04/13/07 07:40:19 [Note]: 7026 0 04/13/07 07:40:20 [Note]: 7026 0 04/13/07 07:40:28 [Note]: FSRAW library version 1.7.1021 04/13/07 08:19:28 [Note]: 7007 0 Link to comment Share on other sites More sharing options...
AndyManchesta Posted April 14, 2007 Share Posted April 14, 2007 Hi Ian, Sorry for the delay in replying, I wasn't able to get on the pc for most of yesterday so Ive just been catching up with my emails, Unfortunately Avenger wasnt able to create a backup of the file, Im not sure why but the backup.zip is empty except for a text file showing that it removed the file, Its nice to see it was removed though The logs look fine, Kaspersky is finding an infected System Restore point but thats to be expected after getting the trojans and we can clear them out now the system is clean, I'll also post afew basic steps to help avoid further infections Click Start Menu > All Programs > Accessories > System Tools > SystemRestore Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close. Next goto Start Menu > Run > type cleanmgr Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup Consider Installing Spywareblaster if it's not already installed, SpywareBlaster doesn`t scan and clean spyware, but can help prevent it from being installed by blocking the popular spyware ActiveX controls which prevents the installation of any of them via webpages, It also adds hundreds of malicious sites to the restricted zone so they cannot cause damage to your system if you visit them by mistake anytime such as by typing a URL slightly wrong and ending up at a malicious site rather than the intended site. A tutorial on using SpywareBlaster can be found here. Avoid illegal sites such as warez, cracks, serials etc... because that's where most malware is present. Don't click on links inside Popups, Messenger programs or spam email messages. Download free software only from sites you know and trust. Please make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/ Please also read Tony Klein's excellent article: How I got Infected in the First Place Let me know if there's any remaining problems Cheers Andy Link to comment Share on other sites More sharing options...
ian pollington Posted April 14, 2007 Author Share Posted April 14, 2007 Andy, No need to apologise man, you're doing me a big favour! I have spywareblaster, panda, etc installed and have always kept things up to date so I guess this infection has snuck in when one of the sprogs has been in Kazaa or the like. Everything seems fine now, thanks for all your help. Ian Link to comment Share on other sites More sharing options...
AndyManchesta Posted April 14, 2007 Share Posted April 14, 2007 Thanks Ian Its hard to say where this trojan is coming from, the gromozon infections in the past have only attacked users with Italian IP's but this variant is different as we have seen it infecting users with U.K IP addresses, there's another member on here who posted today with the same trojan so its difficult to say at the moment what type of site is adding it, Im glad we were able to get it removed from your system but let us know if you have problems again anytime Happy Surfing Andy Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now