trying to clean my sons computer

View previous topic View next topic Go down

Solved trying to clean my sons computer

Post by avak101 on Wed Dec 31, 2008 5:22 am

My son recently told me his computer has been running really slow and I think it is because there are a lot of viruses on it. I do plan on buying more RAM for it but before I do so I want to clean the computer up so here is the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:58 AM, on 12/31/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [khswist] C:\WINDOWS\System32\khswist.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 4732 bytes

thanks,
avak

avak101
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2008-12-31
OS : windows xp

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by Belahzur on Wed Dec 31, 2008 2:17 pm

Hello. This machine is running SP1, this is old and dangerous, i'm suprised this machine isn't crippled and unuseable. Once we are done here, please upgrade to SP3.
DO NOT upgrade now, this machine is infected and upgrading it now could corrupt the machine and then it WILL be unuseable.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Policies\Explorer\Run: [khswist] C:\WINDOWS\System32\khswist.exe


  • Press "Fix Checked"
  • Close Hijack This.


I see you are running bearshare. Using P2P is dangerous, you will nearly always get infected downlading from P2P.
I'd recommend you remove bearshare.
Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Bearshare


Delete this file if you can find it:
C:\WINDOWS\System32\khswist.exe

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by avak101 on Sat Jan 03, 2009 7:25 pm

mabm log:

Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.1.2600 Service Pack 1

1/3/2009 2:23:12 PM
mbam-log-2009-01-03 (14-23-12).txt

Scan type: Quick Scan
Objects scanned: 252212
Time elapsed: 1 hour(s), 38 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0494d0d0-f8e0-41ad-92a3-14154ece70ac} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0494d0d4-f8e0-41ad-92a3-14154ece70ac} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0494d0d6-f8e0-41ad-92a3-14154ece70ac} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0494d0da-f8e0-41ad-92a3-14154ece70ac} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0494d0dc-f8e0-41ad-92a3-14154ece70ac} (Adware.MyWay) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWay (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\myBar (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\myBar\1.bin (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\myBar\History (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\myBar\Settings (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\RMV\Local Settings\Temporary Internet Files\Content.IE5\E417JIR5\ss4[1] (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temporary Internet Files\Content.IE5\E417JIR5\ss4[2] (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temporary Internet Files\Content.IE5\QPRG8806\2209[1] (Trojan.Proxy.Xorpix) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\myBar\History\search (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\System32KBRunOnce2.tm_ (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\System32KBRunOnce2.t__ (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\KBRunOnce2.t__ (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\696A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD1.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD10.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD11.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD12.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD13.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD14.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD15.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD16.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD17.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD18.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD19.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD1A.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD1B.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD1C.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD1D.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD1E.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\CD1F.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\WinAntiSpyware2007Setup.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\RMV\Local Settings\Temp\yazzlesnet.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32a.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

i was not able to find bearshare in add/remove and i could not find the other file under system32 either

avak101
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2008-12-31
OS : windows xp

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by Belahzur on Sat Jan 03, 2009 7:34 pm

Oh, okay.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by avak101 on Sat Jan 03, 2009 7:43 pm

here is the new log:


DDS (Version 1.1.0) - NTFSx86
Run by RMV at 14:40:51.46 on Sat 01/03/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.254.28 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RMV\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mSearch Bar =
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
mCustomizeSearch = [You must be registered and logged in to see this link.]
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [Sonic RecordNow!]
uRun: [Aim6]
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp3.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rmv\applic~1\mozilla\firefox\profiles\r2pm6a3b.default user\

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-03 14:27 61,440 a------- c:\windows\system32\drivers\xkapinvc.sys
2009-01-02 20:52 --d----- c:\docume~1\rmv\applic~1\Malwarebytes
2009-01-02 20:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 20:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 20:52 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 20:52 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 16:22 --d----- c:\program files\FxPro MetaTrader
2008-12-31 18:53 --d----- c:\program files\FXCM Trader 4
2008-12-30 23:47 --d----- c:\program files\Trend Micro

==================== Find3M ====================

2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-09-28 18:04 246 a------- c:\program files\common files\bapu112
2007-07-28 04:06 135 a------- c:\program files\common files\fsoxy.html
2004-11-18 01:13 56 ---shr-- c:\windows\system32\E2C6128FE8.sys
2004-11-18 01:13 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-09-28 17:53 6,498 ---sh--- c:\windows\system32\tvvwa.bak1
2007-09-28 18:15 2,132,943 ---sh--- c:\windows\system32\tvvwa.bak2

============= FINISH: 14:41:53.69 ===============

avak101
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2008-12-31
OS : windows xp

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by Belahzur on Sat Jan 03, 2009 7:45 pm

Hello.
Please upload this file in bold:
c:\windows\system32\drivers\xkapinvc.sys
To here for a scan:
[You must be registered and logged in to see this link.]
Copy and paste the results back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by avak101 on Sat Jan 03, 2009 7:50 pm

File: xkapinvc.sys
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 589312a3b46721c5a751e4d5222a89be
Packers detected:
-
Scanner results
Scan taken on 03 Jan 2009 19:48:31 (GMT)
A-Squared
Found Hoax.Win32.Agent.fu!A2
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found Malware.W32.Agent.fu
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found W32/Agent.HHSF
Panda Antivirus
Found Trj/Downloader.MDW
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

avak101
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2008-12-31
OS : windows xp

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by avak101 on Sat Jan 03, 2009 7:50 pm

^is this what you wanted?

avak101
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2008-12-31
OS : windows xp

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by Belahzur on Sat Jan 03, 2009 7:51 pm

Yep.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\windows\system32\drivers\xkapinvc.sys
    c:\program files\common files\fsoxy.html
    c:\windows\system32\tvvwa.bak1
    c:\windows\system32\tvvwa.bak2

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by avak101 on Sat Jan 03, 2009 8:00 pm

my computer has not been responding for the last five minutes after i clicked "MoveIt!" what should i do?

avak101
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2008-12-31
OS : windows xp

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by Belahzur on Sat Jan 03, 2009 8:05 pm

Reboot and see what happens.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by avak101 on Sat Jan 03, 2009 8:16 pm

ok i rebooted. should i run the same program again?

avak101
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2008-12-31
OS : windows xp

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by Belahzur on Sat Jan 03, 2009 8:17 pm

No, lets use this instead.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
c:\windows\system32\drivers\xkapinvc.sys
c:\program files\common files\fsoxy.html
c:\windows\system32\tvvwa.bak1
c:\windows\system32\tvvwa.bak2

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by avak101 on Sat Jan 03, 2009 8:56 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\system32\drivers\xkapinvc.sys" not found!
Deletion of file "c:\windows\system32\drivers\xkapinvc.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\program files\common files\fsoxy.html" not found!
Deletion of file "c:\program files\common files\fsoxy.html" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\tvvwa.bak1" not found!
Deletion of file "c:\windows\system32\tvvwa.bak1" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\tvvwa.bak2" not found!
Deletion of file "c:\windows\system32\tvvwa.bak2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

avak101
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2008-12-31
OS : windows xp

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by Belahzur on Sat Jan 03, 2009 8:58 pm

Okay, looks good now, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by avak101 on Sat Jan 03, 2009 9:02 pm

the computer is still running a bit slow, but do you think all the viruses are gone?

avak101
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2008-12-31
OS : windows xp

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by Belahzur on Sat Jan 03, 2009 9:07 pm

Yes, the virus is gone.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trying to clean my sons computer

Post by Doctor Inferno on Sat Feb 21, 2009 10:00 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum