1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved unique win xp repair problem

Discussion in 'Malware and Virus Removal Archive' started by rthompson, 2010/01/21.

Page 2 of 2
  1. 2010/01/22
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    I'm approved, posted the kap. log file, and waiting further instructions. I will reccomend both bbs, as well as your site to all my friends and relatives. I really learned a lot. Great job guys, keep up the good work.
     
    rthompson,
    #21
  2. 2010/01/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Thank you for registering at my site, but we started here, so we have to continue here.
    I'm pasting your post at my site right here...

    KASPERSKY ONLINE SCANNER 7.0: scan report
    Friday, January 22, 2010
    Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Friday, January 22, 2010 05:56:53
    Records in database: 3356809
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan statistics:
    Objects scanned: 89356
    Threats found: 5
    Infected objects found: 7
    Suspicious objects found: 0
    Scan duration: 03:24:19


    File name / Threat / Threats count
    C:\Documents and Settings\Lorelei\My Documents\Downloads\ca_setup(2).exe Infected: not-a-virus:pSWTool.Win32.Cain.284 1
    C:\Documents and Settings\Lorelei\My Documents\Downloads\ca_setup.exe Infected: not-a-virus:pSWTool.Win32.Cain.284 1
    C:\Documents and Settings\Richard\My Documents\Downloads\jZipV1c.exe Infected: not-a-virus:AdWare.Win32.Shopper.ax 1
    C:\Documents and Settings\Richard\My Documents\Downloads\setupEtir.exe Infected: not-a-virus:AdWare.Win32.UBar.x 1
    C:\Documents and Settings\Richard\My Documents\Downloads\X-Script S4 Full.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
    D:\my software\rar\CryptLoad_1.1.5.rar Infected: not-a-virus:RemoteAdmin.Win32.NetCat.a 1
    D:\my software\rar\Top.10.Vital.Hacking.Software.and.Tools.rar Infected: not-a-virus:pSWTool.Win32.Cain.284 1

    Selected area has been scanned.
     
    broni,
    #22


  3. to hide this advert.

  4. 2010/01/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes

:Services

:Reg

:Files
C:\Documents and Settings\Lorelei\My Documents\Downloads\ca_setup(2).exe 
C:\Documents and Settings\Lorelei\My Documents\Downloads\ca_setup.exe 
C:\Documents and Settings\Richard\My Documents\Downloads\jZipV1c.exe 
C:\Documents and Settings\Richard\My Documents\Downloads\setupEtir.exe 
C:\Documents and Settings\Richard\My Documents\Downloads\X-Script S4 Full.exe 
D:\my software\rar\CryptLoad_1.1.5.rar 
D:\my software\rar\Top.10.Vital.Hacking.Software.and.Tools.rar
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
    broni,
    #23
  5. 2010/01/22
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    Again I apologize for the mistake. For the benefit of the forums readers, I was very tired last night and thought that broni had requested that I post my results on his site. We must have have both posted the result on bbs at the same time.
     
    rthompson,
    #24
  6. 2010/01/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'll remove double post :)
     
    broni,
    #25
  7. 2010/01/22
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    otm log file

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\Lorelei\My Documents\Downloads\ca_setup(2).exe moved successfully.
    C:\Documents and Settings\Lorelei\My Documents\Downloads\ca_setup.exe moved successfully.
    C:\Documents and Settings\Richard\My Documents\Downloads\jZipV1c.exe moved successfully.
    C:\Documents and Settings\Richard\My Documents\Downloads\setupEtir.exe moved successfully.
    C:\Documents and Settings\Richard\My Documents\Downloads\X-Script S4 Full.exe moved successfully.
    D:\my software\rar\CryptLoad_1.1.5.rar moved successfully.
    D:\my software\rar\Top.10.Vital.Hacking.Software.and.Tools.rar moved successfully.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Lorelei
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Richard
    ->Temp folder emptied: 92380446 bytes
    ->Temporary Internet Files folder emptied: 109266 bytes
    ->Java cache emptied: 386561 bytes
    ->FireFox cache emptied: 72546287 bytes
    ->Google Chrome cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16384 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 158.00 mb


    OTM by OldTimer - Version 3.1.6.0 log created on 01222010_134000

    Files moved on Reboot...
    File move failed. C:\WINDOWS\temp\Perflib_Perfdata_614.dat scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
    rthompson,
    #26
  8. 2010/01/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    =================================================================

    Disable TeaTimer, as it'll interfere with the cleaning process:
    Right click Spybot's TeaTimer System Tray Icon.
    Click Exit Spybot-S&D Resident.
    TeaTimer closes.
    NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

    ================================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O2 - BHO: (no name) - {07276820-6961-4d38-a2b9-60e42fc88424} - (no file)


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe "
    - O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    - O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    - O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    - O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    - O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    - O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
    - O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    - O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    - O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    - O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
    broni,
    #27
  9. 2010/01/22
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    HJT log

    Note: I chose to download the jdk kit instead of jre. when asked whether or not to allow the program to access the web by spf, the spf dialogue crashed. The jdk installer then rolled back to where it left off and continued. I also still cannot access my spf due to the password change mentioned at the beginning of my post.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:24:39 PM, on 1/22/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\HPZipm12.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Voicent\Gateway\bin\vgate.exe
    C:\Program Files\Voicent\Gateway\bin\vgate.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O1 - Hosts: ÿþ127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {07276820-6961-4d38-a2b9-60e42fc88424} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: Fread Speak - C:\Program Files\Fread\plugin\ie_menu.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1260012255343
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Voicent Gateway (VoicentGateway) - Voicent Communications, Inc - C:\Program Files\Voicent\Gateway\bin\vgate.exe

    --
    End of file - 5695 bytes
     
    rthompson,
    #28
  10. 2010/01/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Why? You don't need JDK, you need JRE.
    Please, correct it.

    As for Sygate, you may need to reinstall it, or go with some other product.

    Other than that....

    Your computer is clean :)

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #29
  11. 2010/01/22
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    Thanks so much

    JDk contains a copy of JRE. I am in the process of teaching myself web development as well as program development. Plus the MSWD suite has it's limitations and drawbacks.

    I will change it to JRE if you strongly advise If so would you be so kind as to give me your reasons?

    I have uninstalled Sygate and the computer is running like lightning for a Celeron single core, I even tried multitasking using Photoshop. I will change all passwords immediately, just for safety sake, however i have seen no detections of trojans since before i formatted the hdd to put in my current pc.

    If there are no objections, I will leave you with my utmost gratitude, and close this thread. I have printed out your instructions as well as the log files for my own analysis and education.

    Nice working with you and I hope to not have to post in this section of bbs or any other forum again. I hope to work with you soon in a different section.

    Thanks again
     
    rthompson,
    #30
  12. 2010/01/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    In that case, you're fine.

    I'm glad, your computer is back to normal :)
    Happy surfing :)
     
    broni,
    #31
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...