Karl`s PC Help Forums

HJT Logs and KAV Report... Advice please.
Daz - 6-1-2008 at 16:18

I've cleaned a few bits up with SuperAntiSpyware and HJT, but could you check there is nothing still lurking please Pancake...

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:18, on 06/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32ZoneLabsvsmon.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32driversKodakCCS.exe
C:Program FilesEsetnod32krn.exe
C:WINDOWSsystem32ScsiAccess.EXE
C:WINDOWSsystem32svchost.exe
C:Program FilesJavajre1.6.0_03binjusched.exe
C:Program FilesEsetnod32kui.exe
C:Program FilesZone LabsZoneAlarmzlclient.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesSAGEMSAGEM F@st 800-840dslmon.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://google.co.uk
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesWindows Live Toolbarmsntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesWindows Live Toolbarmsntb.dll
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_03binjusched.exe"
O4 - HKLM..Run: [nod32kui] "C:Program FilesEsetnod32kui.exe" /WAITSERVICE
O4 - HKLM..Run: [ZoneAlarm Client] "C:Program FilesZone LabsZoneAlarmzlclient.exe"
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:Program FilesSAGEMSAGEM F@st 800-840dslmon.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:Program FilesWindows Live Toolbarmsntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176722334031
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:WINDOWSsystem32driversKodakCCS.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:Program FilesEsetnod32krn.exe
O23 - Service: ScsiAccess - Unknown owner - C:WINDOWSsystem32ScsiAccess.EXE
O23 - Service: ServiceLayer - Nokia. - C:Program FilesPC Connectivity SolutionServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:WINDOWSsystem32ZoneLabsvsmon.exe

--
End of file - 5248 bytes


Daz - 6-1-2008 at 16:19

And the KAV Online Report...

Hmmm.... Doesn't seem to display properly, and I can't open properly either now....

Odd...!


Pancake - 6-1-2008 at 23:33

You have a Trojan downloader infection in these so I think its best to remove them


Please download the OTMoveIt by OldTimer

Save it to your desktop.

Please double-click OTMoveIt.exe to run it

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:Documents and SettingsJulieShared1 Track 1 (hardcore).wma
C:Documents and SettingsJulieShared3 Track 3.wma
C:Documents and SettingsJulieShared6 Track 6.wma
C:Documents and SettingsJulieShared7 Track 7.wma
C:Documents and SettingsJulieSharedEighties classic.wma
C:Documents and SettingsJulieSharedRare Recording (hardcore).wma
C:Documents and SettingsJulieSharedTop of Charts - 2004 (hardcore).wma
C:Documents and SettingsJulieSharedTop of Charts - 2005.wma
C:Documents and SettingsJulieSharedWicked Remix (hardcore).wma
D:My DocumentsBeckyMorpheus SharedDownloadsRare Recording (hardcore).wma
D:My DocumentsBeckyMorpheus SharedDownloadsTop of Charts - 2005 (hardcore).wma




Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Daz - 7-1-2008 at 01:13

Thanks PK, as I thought... I'd already shifted those files after posting the logs with OT-MoveIt... I'd just not deleted them yet, in case I'd missed something...

One thing that concerned me, is Trend Online gave the all clear, (Hence trying with KAV) and I scanned the files manually with her NOD, and it didn't flag them up either...? Bit worrying that, no?

I've checked the settings in NOD and everything is cranked up to secure it, which surprises me even more how she got infected in the first place....?

It's currently running a Symantec online scan, but I've not checked it lately because it's too wet and cold here! (PC is shed/workshop in garden!)

Thanks again.


Pancake - 7-1-2008 at 01:30

Quote:

One thing that concerned me, is Trend Online gave the all clear, (Hence trying with KAV) and I scanned the files manually with her NOD, and it didn't flag them up either...? Bit worrying that, no?


None of them are 100% effective


As for where did the infection come from. I take it they where downloaded from Morpheus.With those types of site you take your chance.


Daz - 7-1-2008 at 01:40

Quote:
Originally posted by Pancake
None of them are 100% effective

As for where did the infection come from. I take it they where downloaded from Morpheus.With those types of site you take your chance.


Yes, I'd told her previously about her son's activity with Limewire and Morpheus, and the risks that it involved. I sorted out a big mess for her after she got caught about 8 months ago, but it seems my advice went unheeded... :(

Thanks again anyway, very grateful.

I appreciate none of them are 100% effective at id'ing nasties, I was just rather surprised that NOD32 didn't pick these up, given how well it's respected in the section, and then the Trend Online scan failed as well.... It was unexpected more than anything....

Ta again.