?
Solved

Probs after getting rid of an infection

Posted on 2007-07-21
38
Medium Priority
?
1,139 Views
Last Modified: 2013-12-08
Hi all,

A couple of days back, my pc got infected after i plugged in my flash drive.
i m not sure it was a virus or some worm.
I restored my pc to an earlier date, using the built-in feature of WinXP; and also ran a virus scan (using AVG 7.5). I got rid of the virus/worm. However two problems still persist:

1. All of my Hard Disk partitions don't open in the normal way, instead when i double click on any of these, the "Open With" dialogue box appears. When i try the right click options, i see the "Open" and "Explore" options have got replaced by strange alpha-numerics. However, DVD drive and Flash drive don't have this problem.

2. After some while of using internet (i use Firefox), a website http://dilet.org opens automatically in IE, and in full screen mode. i then have to open task manager to end task it.

Can anyone tell whats hapenning here?
Thanks.
0
Comment
Question by:akifnaseer
  • 18
  • 9
  • 4
  • +4
38 Comments
 
LVL 30

Expert Comment

by:IanTh
ID: 19540284
I think you still have got an infection
0
 
LVL 32

Expert Comment

by:willcomp
ID: 19540316
You've still got at least one trojan. Give this a try:
http://www.superantispyware.com/
0
 
LVL 32

Expert Comment

by:r-k
ID: 19540730
Or post the HJT log:

Download and run HijackThis from http://www.hijackthis.de/
(use the "direct download" link in the upper-right corner)
Copy-and-paste the resulting log here.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:akifnaseer
ID: 19541480
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:49 AM, on 7/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Alcohol VCD\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\arpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\arpl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5ACA62B-9020-46EC-ADA3-35EEDAC95AFF}: NameServer = 211.94.65.97 202.125.148.204
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Alcohol VCD\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 2079 bytes
0
 

Author Comment

by:akifnaseer
ID: 19541536
(After i openned my yahoo messenger and "tried" openning yahoo games page in Firefox)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:48 AM, on 7/22/2006
Platform: Windows XP SP2 (WinNT

5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe
E:\Alcohol VCD\Alcohol

120\StarWind\StarWindService.exe
C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\arpl.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla

Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program

Files\Yahoo!\Messenger\YahooMessenger.ex

e
C:\Program Files\MSN

Messenger\msnmsgr.exe
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware]

"C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [gwiz]

C:\WINDOWS\system32\arpl.exe
O4 - HKLM\..\Run: [TkBellExe]

"C:\Program Files\Common

Files\Real\Update_OB\realsched.exe"  

-osboot
O4 - HKCU\..\Run: [ccleaner] "C:\Program

Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [Yahoo! Pager]

"C:\Program

Files\Yahoo!\Messenger\YahooMessenger.ex

e" -quiet
O17 -

HKLM\System\CCS\Services\Tcpip\..\{D5ACA

62B-9020-46EC-ADA3-35EEDAC95AFF}:

NameServer = 211.94.65.97

202.125.148.204
O23 - Service: Ati HotKey Poller -

Unknown owner -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard -

GRISOFT s.r.o. - C:\Program

Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
O23 - Service: InstallDriver Table

Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: StarWind iSCSI Service

(StarWindService) - Rocket Division

Software - E:\Alcohol VCD\Alcohol

120\StarWind\StarWindService.exe

--
End of file - 2127 bytes
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 19541628
Looks like you'll be wanting the smitfraudfix found here. Instructions on page.

http://www.geekstogo.com/forum/How-to-use-SmitFraudFix-t109268.html
0
 

Author Comment

by:akifnaseer
ID: 19541928
Done that too,
Still no improvements :(
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1000 total points
ID: 19542457
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\arpl.exe
Fix the above entry, and rename "arpl.exe".

Then run this renamed Hijackthis and show us the log.--> http://danborg.org/spy/hjt/alternativ.exe
Some entries are missing in your hijackthis log, could be some nasties hiding from the scan.


Or: run combofix.exe
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 
LVL 32

Expert Comment

by:willcomp
ID: 19542555
@ rpggamergirl --> please take a look at this question. Could use your expertise.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_22710342.html
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19542814
Thanks willcomp,
I've posted there, he has another thread with a Kaspersky log that's heavily infected, it would help to see a fresh Kaspersky log since that was 3 days ago(or combofix log)
He needs to delete those jobs in the Windows\tasks probably with avenger, combofix most probably take care of them too.
0
 

Author Comment

by:akifnaseer
ID: 19544532
"Salman" - 2007-07-23  6:50:24 - ComboFix 07-07-14.6 - Service Pack 2  NTFS  


(((((((((((((((((((((((((   Files Created from 2007-06-23 to 2007-07-23  )))))))))))))))))))))))))))))))


2007-07-22 11:42      <DIR>      d--------      C:\WINDOWS\ERUNT
2007-07-22 11:21      53,248      --a------      C:\WINDOWS\system32\Process.exe
2007-07-22 11:21      51,200      --a------      C:\WINDOWS\system32\dumphive.exe
2007-07-22 11:21      288,417      --a------      C:\WINDOWS\system32\SrchSTS.exe
2007-07-22 11:15      1,472      --a------      C:\WINDOWS\system32\tmp.reg
2007-07-18 21:34      10,872      --a------      C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-11 20:40      233,472      --a------      C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-07-09 19:51      876,066      --a------      C:\WINDOWS\3DRENG.DLL
2007-07-09 19:51      71,680      --a------      C:\WINDOWS\3DR.DLL
2007-07-09 19:51      479,744      --a------      C:\WINDOWS\3DR332.DLL
2007-07-09 19:51      38,400      --a------      C:\WINDOWS\3DR32.DLL
2007-07-09 19:51      374,784      --a------      C:\WINDOWS\3DG32.DLL
2007-07-09 19:51      278,528      --a------      C:\WINDOWS\3DRRGB.DLL
2007-07-09 19:51      278,528      --a------      C:\WINDOWS\3DRBGR.DLL
2007-07-09 19:51      274,944      --a------      C:\WINDOWS\3DRARGB.DLL
2007-07-09 19:51      274,944      --a------      C:\WINDOWS\3DR565.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DRRGBA.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DRBGRA.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DRABGR.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DR664.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DR655.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DR555.DLL
2007-07-09 19:51      22,016      --a------      C:\WINDOWS\3DRSYS.DLL
2007-07-09 19:36      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cadsoft
2007-07-09 19:34      <DIR>      d--------      C:\Program Files\Common Files\Cadsoft
2007-07-09 19:27      995,136      --a------      C:\WINDOWS\system\MSAJT200.DLL
2007-07-09 19:27      935,632      --a------      C:\WINDOWS\system\VB40016.DLL
2007-07-09 19:27      86,848      --a------      C:\WINDOWS\system\VBDB16.DLL
2007-07-09 19:27      57,328      --a------      C:\WINDOWS\system\OLE2CONV.DLL
2007-07-09 19:27      543,584      --a------      C:\WINDOWS\system\DAO2516.DLL
2007-07-09 19:27      536,048      --a------      C:\WINDOWS\system\OC25.DLL
2007-07-09 19:27      51,712      --a------      C:\WINDOWS\system\OLE2PROX.DLL
2007-07-09 19:27      304,640      --a------      C:\WINDOWS\system\OLE2.DLL
2007-07-09 19:27      28,113      --a------      C:\WINDOWS\system\OLE2.REG
2007-07-09 19:27      26,768      --a------      C:\WINDOWS\system\CTL3D.DLL
2007-07-09 19:27      249,072      --a------      C:\WINDOWS\UNINST16.EXE
2007-07-09 19:27      2,920      --a------      C:\WINDOWS\system\VBAJET.DLL
2007-07-09 19:27      177,824      --a------      C:\WINDOWS\system\TYPELIB.DLL
2007-07-09 19:27      164,960      --a------      C:\WINDOWS\system\OLE2DISP.DLL
2007-07-09 19:27      157,696      --a------      C:\WINDOWS\system\STORAGE.DLL
2007-07-09 19:27      152,976      --a------      C:\WINDOWS\system\OLE2NLS.DLL
2007-07-09 19:27      15,936      --a------      C:\WINDOWS\system\MSJETINT.DLL
2007-07-09 19:27      12,976      --a------      C:\WINDOWS\system\SCP.DLL
2007-07-09 19:27      11,232      --a------      C:\WINDOWS\system\MSJETERR.DLL
2007-07-09 19:27      109,056      --a------      C:\WINDOWS\system\COMPOBJ.DLL
2007-07-08 22:23      <DIR>      d--------      C:\WINDOWS\Profiles
2007-07-08 22:22      <DIR>      d--------      C:\Program Files\viewsonic
2007-06-29 21:10      <DIR>      d--------      C:\Program Files\FarStone


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 06:32:52      --------      d--h--r      C:\DOCUME~1\Salman\APPLIC~1\yahoo!
2007-07-18 17:08:17      --------      d-----w      C:\DOCUME~1\Salman\APPLIC~1\ultra
2007-07-09 14:36:38      --------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-06-22 09:05:58      2      ----a-w      C:\DOCUME~1\Salman\APPLIC~1\xxx.exe
2007-06-22 09:05:58      --------      d-----w      C:\DOCUME~1\Salman\APPLIC~1\tiny
2007-06-16 19:11:58      51,200      ----a-w      C:\WINDOWS\nircmd.exe
2007-06-09 14:26:26      --------      d-----w      C:\DOCUME~1\Salman\APPLIC~1\Real
2007-06-08 19:21:10      43,520      ----a-w      C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-08 19:20:41      --------      d-----w      C:\DOCUME~1\Salman\APPLIC~1\Leadertech
2007-06-02 06:21:34      --------      d-----w      C:\DOCUME~1\Salman\APPLIC~1\AdobeUM
2007-05-16 15:12:02      683,520      ----a-w      C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15      144,896      ----a-w      C:\WINDOWS\system32\schannel.dll
2007-03-17 12:28:45      327,712      ----a-w      C:\DOCUME~1\Salman\APPLIC~1\errsafer.exe
2007-03-12 05:22:18      122,880      ----a-w      C:\DOCUME~1\Salman\APPLIC~1\prg.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-12 07:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-07-13 14:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 17:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- RavMon.exe
explore\Command- RavMon.exe -e
open\Command- RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- RavMon.exe
explore\Command- RavMon.exe -e
open\Command- RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- RavMon.exe
explore\Command- RavMon.exe -e
open\Command- RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- RavMon.exe
explore\Command- RavMon.exe -e
open\Command- RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- RavMon.exe
explore\Command- RavMon.exe -e
open\Command- RavMon.exe


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 06:51:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-23  6:51:36
C:\ComboFix-quarantined-files.txt ... 2007-07-23 06:51
C:\ComboFix2.txt ... 2007-07-22 14:11
C:\ComboFix3.txt ... 2007-07-22 12:40

      --- E O F ---
0
 

Author Comment

by:akifnaseer
ID: 19544533
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:51 AM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
E:\Alcohol VCD\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5ACA62B-9020-46EC-ADA3-35EEDAC95AFF}: NameServer = 211.94.65.97 202.125.148.204
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Alcohol VCD\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 2144 bytes
0
 

Author Comment

by:akifnaseer
ID: 19544556
@rpggamergirl , i couldn't get your first advice: rename "arpl.exe"  to "arpl.exe" ?
0
 

Author Comment

by:akifnaseer
ID: 19544911
Fresh results of AVG Scan :

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:36:42 AM 7/23/2007

+ Scan result:



C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP55\A0034699.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP56\A0036870.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
:mozilla.37:C:\Documents and Settings\Salman\Application Data\Mozilla\Firefox\Profiles\agstfwi9.default\coo kies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.38:C:\Documents and Settings\Salman\Application Data\Mozilla\Firefox\Profiles\agstfwi9.default\coo kies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.59:C:\Documents and Settings\Salman\Application Data\Mozilla\Firefox\Profiles\agstfwi9.default\coo kies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.60:C:\Documents and Settings\Salman\Application Data\Mozilla\Firefox\Profiles\agstfwi9.default\coo kies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.40:C:\Documents and Settings\Salman\Application Data\Mozilla\Firefox\Profiles\agstfwi9.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.41:C:\Documents and Settings\Salman\Application Data\Mozilla\Firefox\Profiles\agstfwi9.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.42:C:\Documents and Settings\Salman\Application Data\Mozilla\Firefox\Profiles\agstfwi9.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.43:C:\Documents and Settings\Salman\Application Data\Mozilla\Firefox\Profiles\agstfwi9.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.44:C:\Documents and Settings\Salman\Application Data\Mozilla\Firefox\Profiles\agstfwi9.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
E:\Alcohol VCD\Alcohol 120\star_syn_client.dll -> Trojan.Agent.abd : Cleaned.
E:\Alcohol VCD\Alcohol 120\star_syn_client.dll.BAK -> Trojan.Agent.abd : Cleaned.


::Report end
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 19545276
akifnaseer,

If you want this system clean, please follow rpggamergirls instructions.

She wants you to use the alternative.exe to run the hijackthis log, not trendmicro's.  They are different and she can give you better results with the one she linked you to.

She also wanted you to rename "arpl.exe"  to something other then "arpl.exe" , like "oldarpl.txt" so that it won't be found on startup.

0
 
LVL 32

Expert Comment

by:r-k
ID: 19545306
Though it looks like you've managed to get rid of the offending program (arpl.exe) somewhere along the way.

Have your symptoms cleared up now?
0
 

Author Comment

by:akifnaseer
ID: 19545339
While trying to rename "arpl.exe", i deleted the following entry somwhow.
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\arpl.exe
Now, that IE page (dilet.com) doesn't open.
However, the strange alpha-numerics in the R-click of any of the hard disk partitions is still persisting. becuase of which i m unable to access my partitions in the normal way.
i will download the alternativ hjt and then post back.
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 19545349
Don't worry, rpggamergirl will be able to help you out.
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 19545360
For the right click issue, grab ShellExView here
http://www.nirsoft.net/utils/shexview.html 

with instructions on running it here. Go to Method 2 of Resolution for instructions.

http://windowsxp.mvps.org/slowrightclick.htm
0
 
LVL 32

Expert Comment

by:r-k
ID: 19545376
"Now, that IE page (dilet.com) doesn't open."

That's a good sign. Post the renamed HJT log just in case.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19545972
Sorry, wasn't here, but you are in their good hands. Thanks mtz1of4, :)
I meant to say rename "arpl.exe" to something else/some other name to disable it. Hijackthis disabled it from starting up but the file will still be active so renaming it or deleting it altogether is the idea.


You have remnants of the Flashdrive infection there, combofix didn't show any active files of the infection but the bad reg entries are present still. I think when you delete the reg entries the other problems will be solved.
You can either run this tool "Flash_
Disinfector" or manually delete the bad reg entries.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Go Start > Run > type in
regedit

press Enter and navigate to this subkey;
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2

the "mountpoints2' subkey has bad entries put there by the worm, you need to delete those values or just delete the whole subkey --> mountpoints2


Also delete these files:
C:\DOCUME~1\Salman\APPLIC~1\xxx.exe
C:\DOCUME~1\Salman\APPLIC~1\errsafer.exe

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 19547629
Turn system restore off, and rescan your pc: http://www.xinn.org/annoyance_spy-ware.html#Sys-Restore
-rich
0
 

Author Comment

by:akifnaseer
ID: 19552934
Following are "Dr.Web" Scan results. It seemed as if it got stalled, so i closed it and ran again for F: G: and H: drives. All of these had an "AutoRun.inf" in the root directory. All were deleted. I then rebooted the system, and now everything seems fine. i have already deleted the files :
C:\DOCUME~1\Salman\APPLIC~1\xxx.exe
C:\DOCUME~1\Salman\APPLIC~1\errsafer.exe

===========================================================================
AutoRun.inf;C:\;Win32.HLLW.Cent;Deleted.;
Process.exe;C:\Documents and Settings\Salman\Desktop\SDFix\SDFix\apps;Tool.Proc kill;Incurable.Deleted.;
Process.exe;C:\Documents and Settings\Salman\Desktop\SmitfraudFix;Tool.Prockill ;Incurable.Deleted.;
restart.exe;C:\Documents and Settings\Salman\Desktop\SmitfraudFix;Tool.ShutDown .11;Incurable.Deleted.;
A0018608.exe;C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP34;Probably BACKDOOR.Trojan;Incurable.Deleted.;
A0036700.exe;C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP56;Probably DLOADER.Trojan;Incurable.Deleted.;
A0036704.exe;C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP56;Tool.Prockill;Incurable.Deleted .;
A0038299.inf;C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP57;Win32.HLLW.Cent;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incu rable.Deleted.;
AutoRun.inf;E:\;Win32.HLLW.Cent;Deleted.;

===========================================================================


Do i need anything else to make sure the infection is gone ?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19553127
>>All of these had an "AutoRun.inf" in the root directory. All were deleted<<
Those might not be the bad ones, Combofix didn't report any autorun.inf
Doesn't matter if things are now okay.
Any variants of flashdrive infection always creates an autorun.inf(bad autorun.inf) in every drive.

Did you run the flash_Disinfector? It also creates a bogus autorun.inf in every drive to stop the spread of infection. The autorun.inf that it creates are harmless and its purpose is to stop the spread to other computers.
Some scanners, can also mistaken the autorun.inf, process.exe from other tools as bad files.

Are those bad reg entries gone?
0
 

Author Comment

by:akifnaseer
ID: 19554822
I don't know any "flash_disinfector", Will you tell about it a lil more ?

Following are the results of MicroWorld AntiVirus (MWAV) which i just ran:

Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Documents and Settings\Salman\Start Menu\Programs\Startup\Launcher.exe". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP57\A0038251.exe tagged as "not-a-virus:Downloader.Win32.WinFixer.v". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP57\A0038304.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP57\A0038305.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP57\A0038396.exe//data.rar/SmitfraudFix\Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP58\A0040593.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C4EB59D9-1EF6-4B5A-82A8-B26EBDE9B013}\RP58\A0040597.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
File E:\Remote PC Access Server\rpcsvr.exe tagged as "not-a-virus:RemoteAdmin.Win32.RemotePC.22". No Action Taken.
File H:\Virtual CDs\NFS MW.mdf//Alcohol 120% v1.9.5.3105/Crack/ist1.exe;1//UPX infected by "Trojan-Downloader.Win32.IstBar.is" Virus! Action Taken: No Action Taken.


As i haven't purchased it, it just showed the infections; did not cure them. So what do i do now ?
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1000 total points
ID: 19555421
>> don't know any "flash_disinfector", Will you tell about it a lil more ?<<

The Flash_Disinfector that I mentioned in my post --> {http:#19545972}

The files that Microworld antivirus found are mostly located in the System restore which can be easily remove by turning off System Restore and rebooting. There are also false positives there. Those bad files in System restore are not the one causing the problems because they are not active, they will only be a threat IF and when you actually use those restore points, any viruses in the System Restore points are harmless until you roll back and use those infected restore points.

Turning off System Restore"
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
6. Reboot, (this will delete all your restore points) and then turn it back on again and immediately create a new restore point.

You didn't answer my question before, have you deleted those registry entries yet? Please, run Flash_Disinfector.exe so those reg entries will be deleted.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe



Not sure if you had used it yet or someone had suggested it, SUPERAntispyware is also a very good scanner to remove leftovers.
SUPERAntispyware:
http://www.superantispyware.com/


0
 

Author Comment

by:akifnaseer
ID: 19561603
system restore turned OFF

When i run the "Flash Disinfector", it asks to plug a flash drive. I did. After a while it says "Done".
Isn;t it supposed to tell something to the user?

I m running MWAV thorough scan once again, following are the findings so far:

Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Documents and Settings\Salman\Start Menu\Programs\Startup\Launcher.exe". Action Taken: No Action Taken.


I'll post back the complete results once it completes the scan.
0
 

Author Comment

by:akifnaseer
ID: 19562471
@rpggamergirl. yes i have deleted those registry entries.
Now the only bad entries i have are listed in my abvoe post.
Following are results of ComboFix.

"Salman" - 2007-07-25  8:32:44 - ComboFix 07-07-23.6 - Service Pack 2  NTFS  
Command switches used ::  C:\Documents and Settings\Salman\Desktop\CFScript.txt


(((((((((((((((((((((((((   Files Created from 2007-06-25 to 2007-07-25  )))))))))))))))))))))))))))))))


2007-07-25 04:52      26,112      --a------      C:\WINDOWS\system32\nircmd.exe
2007-07-25 04:52      <DIR>      drahs----      C:\autorun.inf
2007-07-24 07:07      <DIR>      d-a------      C:\WINDOWS\zts2.exe
2007-07-24 07:07      <DIR>      d-a------      C:\WINDOWS\system32\vcmgcd32.dll
2007-07-24 07:07      <DIR>      d-a------      C:\WINDOWS\system32\iifgfgf.dll
2007-07-24 07:07      <DIR>      d-a------      C:\WINDOWS\rundll16.exe
2007-07-24 07:07      <DIR>      d-a------      C:\WINDOWS\rundl132.dll
2007-07-24 07:07      <DIR>      d-a------      C:\WINDOWS\logo1_.exe
2007-07-24 07:06      146,432      --a------      C:\WINDOWS\R.COM
2007-07-24 07:06      135,680      --a------      C:\WINDOWS\system32\T.COM
2007-07-23 11:13      <DIR>      d--------      C:\DOCUME~1\Salman\DoctorWeb
2007-07-22 11:42      <DIR>      d--------      C:\WINDOWS\ERUNT
2007-07-22 11:21      51,200      --a------      C:\WINDOWS\system32\dumphive.exe
2007-07-22 11:21      288,417      --a------      C:\WINDOWS\system32\SrchSTS.exe
2007-07-22 11:15      1,472      --a------      C:\WINDOWS\system32\tmp.reg
2007-07-18 21:34      10,872      --a------      C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-11 20:40      233,472      --a------      C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-07-09 19:51      876,066      --a------      C:\WINDOWS\3DRENG.DLL
2007-07-09 19:51      71,680      --a------      C:\WINDOWS\3DR.DLL
2007-07-09 19:51      479,744      --a------      C:\WINDOWS\3DR332.DLL
2007-07-09 19:51      38,400      --a------      C:\WINDOWS\3DR32.DLL
2007-07-09 19:51      374,784      --a------      C:\WINDOWS\3DG32.DLL
2007-07-09 19:51      278,528      --a------      C:\WINDOWS\3DRRGB.DLL
2007-07-09 19:51      278,528      --a------      C:\WINDOWS\3DRBGR.DLL
2007-07-09 19:51      274,944      --a------      C:\WINDOWS\3DRARGB.DLL
2007-07-09 19:51      274,944      --a------      C:\WINDOWS\3DR565.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DRRGBA.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DRBGRA.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DRABGR.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DR664.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DR655.DLL
2007-07-09 19:51      274,432      --a------      C:\WINDOWS\3DR555.DLL
2007-07-09 19:51      22,016      --a------      C:\WINDOWS\3DRSYS.DLL
2007-07-09 19:36      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cadsoft
2007-07-09 19:34      <DIR>      d--------      C:\Program Files\Common Files\Cadsoft
2007-07-09 19:27      995,136      --a------      C:\WINDOWS\system\MSAJT200.DLL
2007-07-09 19:27      935,632      --a------      C:\WINDOWS\system\VB40016.DLL
2007-07-09 19:27      86,848      --a------      C:\WINDOWS\system\VBDB16.DLL
2007-07-09 19:27      57,328      --a------      C:\WINDOWS\system\OLE2CONV.DLL
2007-07-09 19:27      543,584      --a------      C:\WINDOWS\system\DAO2516.DLL
2007-07-09 19:27      536,048      --a------      C:\WINDOWS\system\OC25.DLL
2007-07-09 19:27      51,712      --a------      C:\WINDOWS\system\OLE2PROX.DLL
2007-07-09 19:27      304,640      --a------      C:\WINDOWS\system\OLE2.DLL
2007-07-09 19:27      28,113      --a------      C:\WINDOWS\system\OLE2.REG
2007-07-09 19:27      26,768      --a------      C:\WINDOWS\system\CTL3D.DLL
2007-07-09 19:27      249,072      --a------      C:\WINDOWS\UNINST16.EXE
2007-07-09 19:27      2,920      --a------      C:\WINDOWS\system\VBAJET.DLL
2007-07-09 19:27      177,824      --a------      C:\WINDOWS\system\TYPELIB.DLL
2007-07-09 19:27      164,960      --a------      C:\WINDOWS\system\OLE2DISP.DLL
2007-07-09 19:27      157,696      --a------      C:\WINDOWS\system\STORAGE.DLL
2007-07-09 19:27      152,976      --a------      C:\WINDOWS\system\OLE2NLS.DLL
2007-07-09 19:27      15,936      --a------      C:\WINDOWS\system\MSJETINT.DLL
2007-07-09 19:27      12,976      --a------      C:\WINDOWS\system\SCP.DLL
2007-07-09 19:27      11,232      --a------      C:\WINDOWS\system\MSJETERR.DLL
2007-07-09 19:27      109,056      --a------      C:\WINDOWS\system\COMPOBJ.DLL
2007-07-08 22:23      <DIR>      d--------      C:\WINDOWS\Profiles
2007-07-08 22:22      <DIR>      d--------      C:\Program Files\viewsonic
2007-06-29 21:10      <DIR>      d--------      C:\Program Files\FarStone


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 08:21:29      --------      d-----w      C:\Program Files\Common Files\Wise Installation Wizard
2007-07-18 17:08:17      --------      d-----w      C:\DOCUME~1\Salman\APPLIC~1\ultra
2007-07-09 14:36:38      --------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-06-22 09:05:58      --------      d-----w      C:\DOCUME~1\Salman\APPLIC~1\tiny
2007-06-16 19:11:58      51,200      ----a-w      C:\WINDOWS\nircmd.exe
2007-06-09 14:26:26      --------      d-----w      C:\DOCUME~1\Salman\APPLIC~1\Real
2007-06-08 19:20:41      --------      d-----w      C:\DOCUME~1\Salman\APPLIC~1\Leadertech
2007-06-02 06:21:34      --------      d-----w      C:\DOCUME~1\Salman\APPLIC~1\AdobeUM
2007-05-16 15:12:02      683,520      ----a-w      C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15      144,896      ----a-w      C:\WINDOWS\system32\schannel.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-12 07:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-07-13 14:10]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 19:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 08:33:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-25  8:34:08
C:\ComboFix-quarantined-files.txt ... 2007-07-25 08:33
C:\ComboFix2.txt ... 2007-07-25 08:28
C:\ComboFix3.txt ... 2007-07-25 08:26

      --- E O F ---
0
 

Author Comment

by:akifnaseer
ID: 19572085
following appear to be suspecisiou to me :
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.

what to do about them now ?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1000 total points
ID: 19572448
>>following appear to be suspecisiou to me "trojan-downloader.bat.ftp.ab Trojan-Downloader<<
Do you have any filenames and locations of the above


2007-07-24 07:07  <-- you have a new infection on this date, which wasn't present in your first combofix log. You can delete these files manually of Killbox them.
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe

Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.


C:\autorun.inf <-- can you please open this file with notepad and post the content, we want to make sure that this isn't the bad autorun.inf


You don't seem to have a resident antivirus, do you have a Firewall? It is important to have a resident antivirus with real-time protection and a Firewall as well.

Avast is free and it's good:
http://www.avast.com/eng/download-avast-home.html

Zone Alarm free Firewall is good:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp?dc=12bms&ctry=US&lang=en


After you've installed those, please run SDFix and see if it finds any nasties.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back
0
 

Author Comment

by:akifnaseer
ID: 19580380
>> >>following appear to be suspecisiou to me "trojan-downloader.bat.ftp.ab Trojan-Downloader<<
Do you have any filenames and locations of the above <<

No. I tried to locate these, but "Windows Search" yields with nothing such. But when i run the MWAV, it picks them up without telling about the location.

The files you mentioned have been got deleted.

I downloaded the free AVG Antivirus yesterday and now i have installed it. Zone Alarm download is in progress and i'll install it as well in a short while. Do i need to have installed AVG-AntiSpyware and AVG-Antivirus both at the same time ?

I ran the MWAV scan shortly and here are the results:

Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Documents and Settings\Salman\Start Menu\Programs\Startup\Launcher.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Salman\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".xxx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ShockwaveFlash". Action Taken: No Action Taken.

The new entries seem to be links of some stuff i deleted recently. Need to get the Registry cleaned ?

I'll come back with the SDFix results next time.



 
0
 

Author Comment

by:akifnaseer
ID: 19580432

SDFix: Version 1.93

Run by Salman on Fri 07/27/2007 at 10:36 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Salman\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\regedit.com  - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Messenger"
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Salman\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:


                                 Finished
0
 

Author Comment

by:akifnaseer
ID: 19580466
>> C:\autorun.inf <-- can you please open this file with notepad and post the content, we want to make sure that this isn't the bad autorun.inf <<

There isn't any such file.
However, there is a folder with this name; and in that folder, there is a notepad file: "Who created this folder.TXT". In this file, this is what is written : "This folder was created by Flash_Disinfector"
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19581069
>>However, there is a folder with this name; and in that folder, there is a notepad file: "Who created this folder.TXT". In this file, this is what is written : "This folder was created by Flash_Disinfector"<<

Sorry, it's a folder. That autorun folder is harmless, that's the bogus autorun.inf that Flash_Disinfector created to stop the spread of the worm.

W32/Rjump.worm lists all mapped and removable storage drives on an infected system and drops autorun.inf onto the root of the available drive:

autorun.inf --> is then used to autorun the worm when the drive is accessed
Contents of the autorun.inf that Win32.R/Jump worm creates is below:
AutoRun]
open=RavMonE.exe e
shellexecute=RavMonE.exe e
shell\Auto\command=RavMonE.exe e
shell=Auto

Infection occurs when a removable storage device or a mapped drive hosting a copy of W32/Rjump.worm is accessed and the user agrees to the auto run prompt for execution of the worm.

So don't worry about that autorun.inf that Flash_Disinfector created, that's good to stay there.

The "trojan-downloader.bat.ftp.ab" that MWAV is reporting might just be false positive,the rest are just registry entries. You can clean your registry or just manually delete those reg entries yourself.

AVG Antispyware is mainly for malware/spyware and you can't really rely on that as a replacement for a resident antivirus.
0
 

Author Comment

by:akifnaseer
ID: 19634305
Hi again,
These files keep on appearing from time to time, after i delete them.

C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe

Besides, The Dr. Web "Cureit" scan often tells me that there is "Probably a backdoor trojan" file named "ScanningProcess.exe" in "Documents and Settings\Salman\Temp" folder. I delte this file using the same Dr. Web, but after a day or two it appears again.

Do i need to do something about it?
0
 

Author Comment

by:akifnaseer
ID: 19634308
P.S: Let me tell that i now have the firewall (Zone alarm) and antivirus (AVG free edition) always running on my pc.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19634343
>>>Hi again,
These files keep on appearing from time to time, after i delete them.>>>

It most probably finding the ones already deleted by killbox, killbox keeps a backup of all files it deleted. If so, just delete killbox's backup folder. It is usuall for any scanners to detect viruses that are in quarantine, System restore, or in some tools backup folder like Killbox.
In my post here --> {http:#19572448}
I ask you to use killbox to delete those same files.

Good to know that you now have Zone alarm and AVG.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19634364
"ScanningProcess.exe" is the file that used by Zone Alarm or other antivirus when they checks/scan the system.
Could just be Dr.WebCureIt false positive report.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question