Posts by sarip_dol

Crunchie,

Below is the KScan report,

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 05, 2008 01:11:05
Records in database: 1192781
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
Scan statistics
Files scanned 67654
Threat name 4
Infected objects 6
Suspicious objects 0
Duration of the scan 00:28:41

File name Threat name Threats count
C:\Documents and Settings\Guest\Desktop\mirc631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Documents and Settings\Guest\My Documents\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Downloads\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\WINDOWS\system32\vimc.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.e 1
D:\MY PROGRAMME\MY GAMES\Shooters Mania\Bonus Picks\Mystery Case Files - Prime Suspects.exe Infected: Trojan-Downloader.Win32.Agent.adla 1
D:\MY PROGRAMME\MY GAMES\Shooters Mania\Evil Invasion.exe Infected: Trojan-Downloader.Win32.Agent.adla 1
The selected area was scanned.

Crunchie,

Currently i'm using firefox because my IE having problem, by the way :

1) how to open firefox in IE tab ?
2) i cannot access any of the icons in the control menu, is this the result of the virus
attack recently ?

When i click control panel this message appear
"Error loading C:\PROGRA-1\MICROs-2\Office12\GrooveUtil.DLL
Access is denied"

Any comment ?:S

Below is the ComboFix log.

ComboFix 08-09-01.03 - user 2008-09-03 8:17:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1029 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\KLRDFG39\bin.clearspring.com
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\KLRDFG39\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\DEXSWDF4\bin.clearspring.com
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\DEXSWDF4\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-08-30 15:26 . 2008-08-30 15:26 <DIR> d-------- C:\Program Files\ERUNT
2008-08-14 23:58 . 2008-08-15 00:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-14 23:58 . 2008-08-14 23:58 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-08-14 23:58 . 2008-08-14 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 23:58 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 23:58 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-13 23:00 . 2008-08-13 23:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 23:10 . 2008-08-11 23:10 1,160 --a------ C:\WINDOWS\mozver.dat
2008-08-05 12:32 . 2008-08-27 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-05 12:32 . 2008-08-05 12:32 <DIR> d-------- C:\Documents and Settings\user\Application Data\

Crunchie,

Can u help me on this since no reply from CP.

Appreciate your help.

Thanks

Sarip_Dol

Appreciate if someone can help me to rectify the problem. Currently i'm using Mozzila Firefox to access internet. Attached is my latest HijackThis log file :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23:23, on 01/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0.96\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} …

Cyber Punk,

What is the next step after this and for your info i'm still cannot open IE and System.

cheers,

sarip_dol

Cyber Punk,

Sorry for the delay due to outstation. Below is the report of the Kaspersky Online Scanner.

Cheers,

sarip_dol

Wednesday, August 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 27, 2008 08:34:51
Records in database: 1150656
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
Scan statistics
Files scanned 82397
Threat name 3
Infected objects 6
Suspicious objects 0
Duration of the scan 01:19:10

File name Threat name Threats count
C:\Documents and Settings\Guest\Desktop\mirc631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Documents and Settings\Guest\Local Settings\Temp\mirc631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\91DGU0DM\mirc631[1].exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Documents and Settings\Guest\My Documents\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Downloads\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\WINDOWS\system32\vimc.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.e 1
The selected area was scanned.

Hi CP,

Thanks for the guide. I,m not able to download the Deckkard software and please refer below.

Deckard's System Scanner interacts with a specific rootkit (tdssserv) in a way that may make your system unusable (altering the svchost netsvcs registry entry). This download link has been removed until a fix is released by Deckard. For your own protection, please do not attempt to download this tool from other sites.

08/17/2008

Your Geeks to Go admin team

Cyber Punk & Crunchie,

Below is the full scan of the malwarebytes

Please advice what is the next step.

Cheers,:?:

Sarip_Dol

Malwarebytes' Anti-Malware 1.24
Database version: 1052
Windows 5.1.2600 Service Pack 2

0:43:25 15/08/2008
mbam-log-8-15-2008 (00-43-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 118334
Time elapsed: 42 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{38bf827a-d7c5-46e1-a9a2-47b1b5bb5438} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\MY PROGRAMME\Multimedia KING\ALO Audio Center v1.5\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
D:\MY PROGRAMME\Multimedia KING\One Click CD Converter v1.2\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
D:\MY PROGRAMME\Multimedia KING\One Click CD DVD Writer v1.0\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
D:\MY …

Cyber Punk,

Tahnk you for your help.

I already done the download and scan and found some of the trojan.

But i still cannot open the IE and Control Panel.

Please help me.

Hi there,

I'm still new with this site and i need someone from here to solve my laptop problem.

I cannot open the IE and System/Control Panel after i save the file from Widows Antivirus,

I don't know whether this software a real one or just a bait for them to 'slash' my laptop.

Now i'm using mozzila firefox to surf the net. I already download SUPER ANTI SPYWARE

FREE EDITION to remove the viruses/trojan. I hope someone from this site can help me to

reinstate my laptop as previous one.

Yesterday i download Trend Micro Hijack This Software and here is my hijack log file :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:32, on 14/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - …