system
October 7, 2008, 2:13pm
1
Hello For some time I have had a virus on my PC that I havent been able to remove :S
VirusTotal link
http://www.virustotal.com/analisis/67f96cc15fdac09462b880639a80e5c4
I have used AVG and avast! on the file without being able to get rid of it⌠It says that the file has been succesfully moved to the virus chest but it âregensâ every day 2 hours before I log on the PC all the time⌠???
Anyone got a idea? See the PE data from VirusTotal:
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x40410b
timedatestampâŚ: 0x21475346 (Fri Sep 11 01:35:02 1987 )
machinetypeâŚ: 0x14c (I386)
It is that old but still none of the antivirus programs have been able to remove it :-X
DavidR
October 7, 2008, 2:25pm
2
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again.
If you havenât already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version.
MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe , right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
You mention AVG and avast in the same context, so are you using two resident AVs (not advisable) ?
system
October 7, 2008, 2:38pm
3
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again.
If you havenât already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version.
MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe , right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
You mention AVG and avast in the same context, so are you using two resident AVs (not advisable) ?
Nope, used both independantly Used AVG in the start then changed to avast
Used MalwareBytes but it didnt detect anything that removed the virus
DavidR
October 7, 2008, 2:49pm
4
Using them independently could still imply they are both installed at the same time even if disabled an AV has low level drivers that would still be loaded unless uninstalled. It is these that cam conflict.
Did you run MBAM from safe mode ?
What did the report show ?
Run SAS from safe mode also if you havenât already done so.
system
October 7, 2008, 2:58pm
5
Using them independently could still imply they are both installed at the same time even if disabled an AV has low level drivers that would still be loaded unless uninstalled. It is these that cam conflict.
Did you run MBAM from safe mode ?
What did the report show ?
Run SAS from safe mode also if you havenât already done so.
I know that 2 antiviruses on the same PC is sometimes a bad thing⌠I used them independently like in, uninstalling one before installing another
I cant open in safe mode :S As when booting in Safe Mode i lose the domain choice meaning I cant log on>.<
It was previously a work PC
system
October 7, 2008, 3:26pm
6
Have you tried the Avast boot time scan and Drweb cureit
system
October 7, 2008, 3:29pm
7
Yep, it removed only the r.exe file :S It popped up again right after reboot again ???
I do partly remember the place I got the virus⌠I think it was from Cheatplanet right after I arrived at the site :S
system
October 7, 2008, 3:50pm
8
Try the Dr web,also did you run SAS and MBAM as suggested by DavidR. Do you know how to post a HijackThis log
http://www.freedrweb.com/
http://filehippo.com/download_hijackthis/
system
October 7, 2008, 3:52pm
9
Yep, posted a log before
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:55, on 2008-10-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PĂĽloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\no\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\no\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] âC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeâ
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [ZoneAlarm Client] âC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeâ
O4 - HKLM..\Run: [QuickTime Task] âC:\Program Files\QuickTime\QTTask.exeâ -atboottime
O4 - HKCU..\Run: [MsnMsgr] âC:\Program Files\Windows Live\Messenger\msnmsgr.exeâ /background
O4 - HKCU..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User âSYSTEMâ)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User âDefault userâ)
O4 - Startup: avast!.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Global Startup: gamma.hta
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra âToolsâ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.start.no
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207918024609
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/sis/BTDownloadCtrl.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\Software..\Telephony: DomainName = no.via.as
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = no.via.as
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
â
End of file - 8402 bytes
system
October 7, 2008, 5:49pm
10
Do these entries mean anything to you or anyone
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\Software..\Telephony: DomainName = no.via.as
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = no.via.as
What is no.via.as ?
system
October 8, 2008, 1:39pm
11
Do these entries mean anything to you or anyone
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\Software..\Telephony: DomainName = no.via.as
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = no.via.as
What is no.via.as ?
This is a work pc Its the domain of that job and im still logging on with the domain so (got no clue how to remove it safely and securely )
system
October 8, 2008, 5:08pm
12
Have you run the AVG removal tool- new in July
Essential that you do this
32 and 64 bit versions on the AVG website
Do not even think about removing something from your work computer without IT department OK
quarantine any hits do not remove/ delete
leave any avast hits in chest
what are?
Google if unknown
O4 - Global Startup: gamma.hta
active-x
google both CLSID and fiile name (s) folder names if unknown
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/sis/BTDownloadCtrl.cab
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
Hjt does not catch everything in these latest infections
please upload any hits to virustotal for a positive id
letâs see MBAM and SAS logs (edit out cookies)
run the trend micro rootkit tool
system
October 8, 2008, 5:31pm
13
Ive been googling that entry ( O4 - Global Startup: gamma.hta ) and can find almost no info on it. It hardly shows anywhere. Very strange.Anyone else got an opinion.
system
October 8, 2008, 5:57pm
14
Hi Roofel :
On Oct 7, you said : âPreviously a work PCâ and today :âThis a work PCâ ;
Which is âitâ because it is IMPORTANT because those â017â Hijackthis Items
are âconnectedâ to the very undesirable Lop company and are considered
âDomain Hacksâ ( usually very undesirable ) and could be the Source of your
problem(s) !? IF unwanted, simply put a check into the box to the left of all
those 017 Items and click the âFixâ button .
At a minimum, I recommend you have HJT âFixâ the following :
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
Also I noticed âGameSPYArcadeâ, which I personally looked into a couple of
yrs ago and was very alarmed at what I found and completely uninstalled the
program . âCurse/CurseClientâ seems to be relatively new and some major
security companies are still investigating it, so be careful .
Your Adobe Reader is outdated and a serious security risk ; would recommend
you read the info at http://forum.avast.com/index.php?topic=38839.0 .
Based on this, I recommend you uninstall Adobe Reader and use the safer
âFoxit Readerâ .
system
October 8, 2008, 6:41pm
15
Hi Roofel :
On Oct 7, you said : âPreviously a work PCâ and today :âThis a work PCâ ;
Which is âitâ because it is IMPORTANT because those â017â Hijackthis Items
are âconnectedâ to the very undesirable Lop company and are considered
âDomain Hacksâ ( usually very undesirable ) and could be the Source of your
problem(s) !? IF unwanted, simply put a check into the box to the left of all
those 017 Items and click the âFixâ button .
At a minimum, I recommend you have HJT âFixâ the following :
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
Also I noticed âGameSPYArcadeâ, which I personally looked into a couple of
yrs ago and was very alarmed at what I found and completely uninstalled the
program . âCurse/CurseClientâ seems to be relatively new and some major
security companies are still investigating it, so be careful .
Your Adobe Reader is outdated and a serious security risk ; would recommend
you read the info at http://forum.avast.com/index.php?topic=38839.0 .
Based on this, I recommend you uninstall Adobe Reader and use the safer
âFoxit Readerâ .
The work place was in a company called âVia Travelâ and its located in Norway(hence the .no) The domain was used to be able to connect to the PC at work(Worked from home sometimes)
Bonjour - Service is apparently something that iTunes needs to run
Gamespy Arcade came with a game I bought Its used to connect with others players within that game Ive used it before and it was no security risk, completely legit program
CurseClient is an âupdaterâ for my World of Warcraft addons 100% safe as if it wasnt it would already have hijacked my World of Warcraft account so (Program site: www.curse.com )
Another source: http://www.whatsrunning.net/whatsrunning/QueryProcessID.aspx?Process=15604
I updated the Adobe Reader for under a month ago so⌠Wierd it didnt update, even said it was succesful
Ill try to update it again then
I had Norton Antivirus before but removed it, so ill remove all of the âtracesâ after Symantec
To do it so:
Remove NAV or Norton 360 through Add/Remove programs from Control Panel. Boot.
Use Norton Removal Tool for Windows 2000/XP/Vista or Norton Removal Tool for Windows 98/Me . Boot.
Install avast! (or repair the installation) and boot.
The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.
system
October 8, 2008, 6:57pm
17
Have you run the AVG removal tool- new in July
Essential that you do this
32 and 64 bit versions on the AVG website
Do not even think about removing something from your work computer without IT department OK
quarantine any hits do not remove/ delete
leave any avast hits in chest
what are?
Google if unknown
O4 - Global Startup: gamma.hta
active-x
google both CLSID and fiile name (s) folder names if unknown
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/sis/BTDownloadCtrl.cab
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
Hjt does not catch everything in these latest infections
please upload any hits to virustotal for a positive id
letâs see MBAM and SAS logs (edit out cookies)
run the trend micro rootkit tool
O4 - Global Startup: gamma.hta
Googled it before and it was apparently connected to my âDesktop gamma settingâ through another program and it was listed as safe so
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/sis/BTDownloadCtrl.cab
Couldnt find anything on it, when I google both CSID and File name it shows up only other Hijackthis logs on other forums and sites. Judging by the name it is from a game Thinktanks that is hosted at Shockwave.com (Wild guess but might have been a free game I found that I wanted to try but couldnt get it to start Not downloaded or anything, just run from the browser)
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
Same as above, just that the game is Feeding Frenzy
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
http://www.castlecops.com/o23list-2937.html
Leftover from program the administrators used I think, judging from the description (Think its safe to remove but kinda wanted to check with you people first )
I tried it, removed most of the files manually before the program showed up meaning the removal tool had nothing to âbase itself onâ and it just said all was removed
As the Hijackthis log showed this might be left from Norton
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
system
October 8, 2008, 7:40pm
18
Hi :
Regarding ITunes/Bonjour-mDNSResponder : according to the Info at
www.liutilities.com/products/wintaskspro/processlibrary/mdnsresponder , this
is a NON-ESSENTIAL process/NOT a critical component as related to ITunes .
Would recommend you read the Info at www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/ to read WHAT this does and Removal
Instructions IF interested !?
system
October 9, 2008, 2:28pm
19
non infected 016âs can be removed or left- your choice
if an app needs these Active-x they will be reloaded
on the 023
it is always better to remove with add/remove or other conventional means as there may be other parts/ fragments/ traces that will not be removed with hjt
do a search on vmover and aelita
you might search the registry also
still looking for mbam and sas logs- edit out cookies
system
October 9, 2008, 5:40pm
20
non infected 016âs can be removed or left- your choice
if an app needs these Active-x they will be reloaded
on the 023
it is always better to remove with add/remove or other conventional means as there may be other parts/ fragments/ traces that will not be removed with hjt
do a search on vmover and aelita
you might search the registry also
still looking for mbam and sas logs- edit out cookies
Malwarebytes' Anti-Malware 1.28
Database versjon: 1203
Windows 5.1.2600 Service Pack 2
2008-10-09 19:22:29
mbam-log-2008-10-09 (19-22-29).txt
Skanntype: Rask Skann
Objekter skannet: 58030
Tid tilbakelagt: 28 minute(s), 9 second(s)
Minneprosesser infisert: 0
Minnemoduler infisert: 0
Registernøkler infisert: 0
Registerverdier infisert: 0
Registerfiler infisert: 0
Mapper infisert: 0
Filer infisert: 0
Minneprosesser infisert:
(Ingen mistenkelige filer funnet)
Minnemoduler infisert:
(Ingen mistenkelige filer funnet)
Registernøkler infisert:
(Ingen mistenkelige filer funnet)
Registerverdier infisert:
(Ingen mistenkelige filer funnet)
Registerfiler infisert:
(Ingen mistenkelige filer funnet)
Mapper infisert:
(Ingen mistenkelige filer funnet)
Filer infisert:
(Ingen mistenkelige filer funnet)
No suspicious files found is what it says
HijackThis logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:21, on 2008-10-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PĂĽloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\no\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\no\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: avast!.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Global Startup: gamma.hta
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.start.no
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207918024609
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\Software\..\Telephony: DomainName = no.via.as
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = no.via.as
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6494 bytes
Im doing some research on Aelita DMW Migration Agent and gonna remove the Bonjour application soon.
Here is the SAS log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/07/2008 at 05:05 PM
Application Version : 4.21.1004
Core Rules Database Version : 3591
Trace Rules Database Version: 1578
Scan type : Quick Scan
Total Scan Time : 00:17:02
Memory items scanned : 411
Memory threats detected : 0
Registry items scanned : 462
Registry threats detected : 0
File items scanned : 7873
File threats detected : 0