GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

infected with a trojan.brisv.A!inf

View previous topic View next topic Go down

Solved infected with a trojan.brisv.A!inf

Post by ba2269 on Sat Feb 07, 2009 7:11 pm

Not quite sure how it happened but have tried pretty much everything I was told to try. The norton scans would not pick up the virus sometimes but still have it under unresolved risks. I followed the steps from your web site. Here is my log. thx.

Logfile of Trend Micro

HijackThis v2.0.2
Scan saved at 1:57:24 PM, on

2/7/2009
Platform: Windows XP SP3

(WinNT 5.01.2600)
MSIE: Internet Explorer

v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.ex

e
C:\WINDOWS\system32\winlogon

.exe
C:\WINDOWS\system32\services

.exe
C:\WINDOWS\system32\lsass.ex

e
C:\WINDOWS\system32\svchost.

exe
C:\WINDOWS\system32\svchost.

exe
C:\WINDOWS\System32\svchost.

exe
C:\WINDOWS\System32\svchost.

exe
C:\WINDOWS\System32\svchost.

exe
C:\WINDOWS\system32\spoolsv.

exe
C:\Program Files\Common

Files\Apple\Mobile Device

Support\bin\AppleMobileDevic

eService.exe
C:\Program

Files\Bonjour\mDNSResponder.

exe
C:\Program

Files\COMPAQ\Compaq

Advisor\bin\compaq-rba.exe
C:\Program Files\Common

Files\Portrait

Displays\Shared\DTSRVC.exe
C:\Program

Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\NMSSvc.e

xe
C:\Program Files\Norton

Internet

Security\Engine\16.2.0.7\ccS

vcHst.exe
C:\WINDOWS\System32\nvsvc32.

exe
C:\WINDOWS\System32\svchost.

exe
C:\WINDOWS\System32\MsPMSPSv

.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton

Internet

Security\Engine\16.2.0.7\ccS

vcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.e

xe
C:\PROGRA~1\QUICKENW\QAGENT.

EXE
C:\WINDOWS\system32\PROMon.e

xe
C:\Program

Files\iTunes\iTunesHelper.ex

e
C:\WINDOWS\system32\mrtMngr.

EXE
C:\Program Files\Portrait

Displays\HP My

Display\DTHtml.exe
C:\Program Files\COMPAQ\Easy

Access Button

Support\StartEAK.exe
C:\WINDOWS\system32\carpserv

.exe
C:\Program Files\Common

Files\Portrait

Displays\Shared\HookManager.

exe
C:\Program Files\Compaq\Easy

Access Button

Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EX

E
C:\PROGRA~1\Compaq\EASYAC~1\

BttnServ.exe
C:\Program Files\Common

Files\Microsoft Shared\Works

Shared\wkcalrem.exe
C:\Program

Files\iPod\bin\iPodService.e

xe
C:\Program Files\Common

Files\Real\Update_OB\realsch

ed.exe
C:\Program Files\Mozilla

Firefox\firefox.exe
C:\Program

Files\Java\jre6\bin\javaw.ex

e
C:\WINDOWS\system32\notepad.

exe
C:\Documents and

Settings\RALPH\Desktop\hijac

kgpthis.exe
C:\WINDOWS\System32\wbem\wmi

prvse.exe

R1 -

HKCU\Software\Microsoft\Inte

rnet Explorer\Main,Search

Bar =

[You must be registered and logged in to see this link.]

ie.html
R0 -

HKCU\Software\Microsoft\Inte

rnet Explorer\Main,Start

Page = [You must be registered and logged in to see this link.]
R1 -

HKLM\Software\Microsoft\Inte

rnet

Explorer\Main,Default_Page_U

RL =

[You must be registered and logged in to see this link.]

nk/?LinkId=69157
R1 -

HKLM\Software\Microsoft\Inte

rnet

Explorer\Main,Default_Search

_URL =

[You must be registered and logged in to see this link.]

nk/?LinkId=54896
R1 -

HKLM\Software\Microsoft\Inte

rnet Explorer\Main,Search

Bar =

[You must be registered and logged in to see this link.]

e/yessentials_cq/defaults/sb

/*http://www.yahoo.com/searc

h/ie.html
R0 -

HKLM\Software\Microsoft\Inte

rnet Explorer\Main,Start

Page =

[You must be registered and logged in to see this link.]

nk/?LinkId=69157
R1 -

HKCU\Software\Microsoft\Inte

rnet

Explorer\SearchURL,(Default)

=

[You must be registered and logged in to see this link.]

mize/ie/defaults/su/msgr8/*h

[You must be registered and logged in to see this link.]
R1 -

HKCU\Software\Microsoft\Inte

rnet Explorer\Main,Window

Title = Microsoft Internet

Explorer provided by Compaq
R1 -

HKCU\Software\Microsoft\Wind

ows\CurrentVersion\Internet

Settings,ProxyOverride =

*.local
R3 - URLSearchHook: Yahoo!

Toolbar -

{EF99BD32-C1FB-11D2-892F-009

0271D4F88} - C:\Program

Files\Yahoo!\Companion\Insta

lls\cpn\yt.dll
N3 - Netscape 7:

user_pref("browser.startup.h

omepage",

"http://home.netscape.com/bo

okmark/7_0/home.html");

(C:\Documents and

Settings\RALPH\Application

Data\Mozilla\Profiles\defaul

t\r9eiari2.slt\prefs.js)
N3 - Netscape 7:

user_pref("browser.search.de

faultengine",

"engine://C%3A%5CProgram%20F

iles%5CNetscape%5CNetscape%2

06%5Csearchplugins%5CSBWeb_0

1.src"); (C:\Documents and

Settings\RALPH\Application

Data\Mozilla\Profiles\defaul

t\r9eiari2.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar

Helper -

{02478D38-C3F9-4EFB-9B51-769

5ECA05670} - C:\Program

Files\Yahoo!\Companion\Insta

lls\cpn\yt.dll
O2 - BHO: Adobe PDF Reader

Link Helper -

{06849E9F-C8D7-4D59-B87D-784

B7D6BE0B3} - C:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\

AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub -

{18DF081C-E8AD-4283-A596-FA5

78C2EBDC3} - C:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\

AcroIEHelperShim.dll
O2 - BHO: PCTools Site Guard

-

{5C8B2A36-3DB1-42A4-A3CB-D42

6709BBFEB} -

C:\PROGRA~1\SPYWAR~2\tools\i

esdsg.dll
O2 - BHO: Symantec NCO BHO -

{602ADB0E-4AFF-4217-8AA1-95D

AC4DFA408} - C:\Program

Files\Norton Internet

Security\Engine\16.2.0.7\coI

EPlg.dll
O2 - BHO: Symantec Intrusion

Prevention -

{6D53EC84-6AAE-4787-AEEE-F46

28F01010C} - C:\Program

Files\Norton Internet

Security\Engine\16.2.0.7\IPS

BHO.DLL
O2 - BHO: Java(tm) Plug-In

SSV Helper -

{761497BB-D6F0-462C-B6EB-D4D

AF1D92D43} - C:\Program

Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live

Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-516

4760863C6} - C:\Program

Files\Common Files\Microsoft

Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser

Monitor -

{B56A7D7D-6927-48C8-A975-17D

F180C71AC} -

C:\PROGRA~1\SPYWAR~2\tools\i

esdpb.dll
O2 - BHO: Java(tm) Plug-In 2

SSV Helper -

{DBC80044-A445-435b-BC74-9C2

5C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.d

ll
O2 - BHO:

JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EAB

FE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\j

qs\ie\jqs_plugin.dll
O2 - BHO: (no name) -

{FDD3B846-8D59-4ffb-8758-209

B6AD74ACC} - C:\Program

Files\Microsoft

Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar

-

{EF99BD32-C1FB-11D2-892F-009

0271D4F88} - C:\Program

Files\Yahoo!\Companion\Insta

lls\cpn\yt.dll
O3 - Toolbar: Norton Toolbar

-

{7FEBEFE3-6B19-4349-98D2-FFB

09D4B49CA} - C:\Program

Files\Norton Internet

Security\Engine\16.2.0.7\coI

EPlg.dll
O4 - HKLM\..\Run: [UMonit]

C:\WINDOWS\system32\umonit.e

xe
O4 - HKLM\..\Run:

[WCOLOREAL] "C:\Program

Files\COMPAQ\Coloreal\colore

al.exe"
O4 - HKLM\..\Run:

[TkBellExe] "C:\Program

Files\Common

Files\Real\Update_OB\realsch

ed.exe" -osboot
O4 - HKLM\..\Run:

[SunJavaUpdateSched]

"C:\Program

Files\Java\jre6\bin\jusched.

exe"
O4 - HKLM\..\Run: [srmclean]

C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime

Task] "C:\Program

Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [QAGENT]

C:\PROGRA~1\QUICKENW\QAGENT.

EXE
O4 - HKLM\..\Run:

[PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Prein]

C:\DOCUME~1\RALPH\LOCALS~1\T

emp\app4F1.tmp
O4 - HKLM\..\Run:

[PerfectOptimizer]

C:\Program Files\Perfect

Optimizer\PerfectOptimizer.e

xe
O4 - HKLM\..\Run:

[NvCplDaemon] RUNDLL32.EXE

NvQTwk,NvCplDaemon

initialize
O4 - HKLM\..\Run: [Microsoft

Works Update Detection]

C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft

Works Portfolio] C:\Program

Files\Microsoft

Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run:

[iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.ex

e"
O4 - HKLM\..\Run: [DT HPW]

C:\Program Files\Portrait

Displays\HP My

Display\DTHtml.exe

-startup_folder
O4 - HKLM\..\Run:

[CPQEASYACC] C:\Program

Files\COMPAQ\Easy Access

Button Support\StartEAK.exe
O4 - HKLM\..\Run:

[CARPService] carpserv.exe
O4 - HKLM\..\Run:

[AppleSyncNotifier]

C:\Program Files\Common

Files\Apple\Mobile Device

Support\bin\AppleSyncNotifie

r.exe
O4 - HKLM\..\Run:

[AdaptecDirectCD]

"C:\Program Files\Roxio\Easy

CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe

Reader Speed Launcher]

"C:\Program

Files\Adobe\Reader

9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr]

"C:\Program Files\MSN

Messenger\MsnMsgr.Exe"

/background
O4 - HKCU\..\Run:

[MoneyAgent] "C:\Program

Files\Microsoft

Money\System\Money

Express.exe"
O4 - HKCU\..\Run:

[ctfmon.exe]

C:\WINDOWS\system32\ctfmon.e

xe
O4 - HKCU\..\RunOnce: []

C:\Program Files\Mozilla

Firefox\firefox.exe

[You must be registered and logged in to see this link.]

supp/servlet/ProductMessages

?module=2009&error=0&languag

e=en&product=SymNRT&version=

2009.0.0.37&build=Symantec&a

=00000082.00000049.000000bb&

b=00000083.00000019.000000B1

&c=00000083.0000001A.000000B

7&d=00000083.00000028.000000

D8
O4 - HKUS\S-1-5-18\..\Run:

[Spyware Doctor] (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run:

[Spyware Doctor] (User

'Default user')
O4 - Startup: PowerReg

Scheduler.exe
O4 - Global Startup:

Microsoft Works Calendar

Reminders.lnk = ?
O9 - Extra button: Spyware

Doctor -

{2D663D1A-8670-49D9-A1A5-4C5

6B4E14E84} -

C:\PROGRA~1\SPYWAR~2\tools\i

esdpb.dll
O9 - Extra button:

PokerStars -

{3AD14F0C-ED16-4e43-B6D8-661

B03F6A1EF} - C:\Program

Files\PokerStars\PokerStarsU

pdate.exe
O9 - Extra button: Real.com

-

{CD67F990-D8E9-11d2-98FE-00C

0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.

dll
O9 - Extra button: MoneySide

-

{E023F504-0C5A-4750-A1E7-A90

46DEA8A21} - C:\Program

Files\Microsoft

Money\System\mnyviewer.dll
O9 - Extra button: (no name)

-

{e2e2dd38-d088-4134-82b7-f2b

a38496583} -

C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2b

a38496583} -

C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger

-

{FB5F1910-F110-11d2-BB9E-00C

04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem:

Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C

04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop:

C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dl

l
O14 - IERESET.INF:

START_PAGE_URL=http://store.

presario.net/scripts/redirec

tors/presario/storeredir2.dl

l?s=consumerfav&c=2c02&lc=04

09
O16 - DPF:

{11260943-421B-11D0-8EAC-000

0C07D88CF} (iPIX ActiveX

Control) -

[You must be registered and logged in to see this link.]

ipixx.cab
O16 - DPF:

{1695C611-186A-4355-B777-0D8

5B325F07F} -

[You must be registered and logged in to see this link.]

n/espnmotion.cab
O16 - DPF:

{17492023-C23A-453E-A040-C7C

580BBF700} (Windows Genuine

Advantage Validation Tool) -

[You must be registered and logged in to see this link.]

nk/?linkid=39204
O16 - DPF:

{30528230-99f7-4bb4-88d8-fa1

d4f56a2ab} (YInstStarter

Class) - C:\Program

Files\Yahoo!\Common\yinsthel

per.dll
O16 - DPF:

{352797A0-EFD0-4FA6-B229-145

120EA4B8A} (Walt Disney

Internet Group Hardware

Control) -

[You must be registered and logged in to see this link.]

3/setup/activex/DIGHardwareC

ontrol.cab
O16 - DPF:

{41F17733-B041-4099-A042-B51

8BB6A408C} -

[You must be registered and logged in to see this link.]

1540/52/20021205/qtinstall.i

nfo.apple.com/borris/us/win/

QuickTimeInstaller.exe
O16 - DPF:

{54B52E52-8000-4413-BD67-FC7

FE24B59F2} (EARTPatchX

Class) -

[You must be registered and logged in to see this link.]

rtpatch/v2/EARTPX.cab
O16 - DPF:

{62475759-9E84-458E-A1AB-5D2

C442ADFDE} -

[You must be registered and logged in to see this link.]

1540/52/20031216/qtinstall.i

nfo.apple.com/mickey/us/win/

QuickTimeInstaller.exe
O16 - DPF:

{644E432F-49D3-41A1-8DD5-E09

9162EEEC5} (Symantec RuFSI

Utility Class) -

[You must be registered and logged in to see this link.]

/sscv6/SharedContent/common/

bin/cabsa.cab
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1

FA91D2FC3} (MUWebControl

Class) -

[You must be registered and logged in to see this link.]

microsoftupdate/v6/V5Control

s/en/x86/client/muweb_site.c

ab?1124137993031
O16 - DPF:

{AB29A544-D6B4-4E36-A1F8-D3E

34FC7B00A} -

[You must be registered and logged in to see this link.]

om/bgn/partners/wtgeneric/li

lostitchpinball/install.cab
O16 - DPF:

{C2FCEF52-ACE9-11D3-BEBD-001

05AA9B6AE} (Symantec RuFSI

Registry Information Class)

-

[You must be registered and logged in to see this link.]

/SSC/SharedContent/common/bi

n/cabsa.cab
O16 - DPF:

{D27CDB6E-AE6D-11CF-96B8-444

553540000} (Shockwave Flash

Object) -

[You must be registered and logged in to see this link.]

a.com/get/shockwave/cabs/fla

sh/swflash.cab
O16 - DPF:

{E77C0D62-882A-456F-AD8F-7C6

C9569B8C7} -

[You must be registered and logged in to see this link.]

com/techsupp/activedata/Acti

veData.cab
O18 - Protocol: symres -

{AA1061FE-6C41-421F-9344-696

40C9732AB} - C:\Program

Files\Norton Internet

Security\Engine\16.2.0.7\coI

EPlg.dll
O18 - Filter hijack:

text/html - (no CLSID) - (no

file)
O23 - Service: Apple Mobile

Device - Apple Inc. -

C:\Program Files\Common

Files\Apple\Mobile Device

Support\bin\AppleMobileDevic

eService.exe
O23 - Service: Bonjour

Service - Apple Inc. -

C:\Program

Files\Bonjour\mDNSResponder.

exe
O23 - Service: Compaq

Advisor (Compaq_RBA) -

NeoPlanet - C:\Program

Files\COMPAQ\Compaq

Advisor\bin\compaq-rba.exe
O23 - Service: Portrait

Displays Display Tune

Service (DTSRVC) - Unknown

owner - C:\Program

Files\Common Files\Portrait

Displays\Shared\DTSRVC.exe
O23 - Service: InstallDriver

Table Manager (IDriverT) -

Macrovision Corporation -

C:\Program Files\Common

Files\InstallShield\Driver\1

1\Intel 32\IDriverT.exe
O23 - Service: iPod Service

- Apple Inc. - C:\Program

Files\iPod\bin\iPodService.e

xe
O23 - Service: Java Quick

Starter

(JavaQuickStarterService) -

Sun Microsystems, Inc. -

C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: Content

Monitoring Tool (msCMTSrvc)

- Unknown owner -

C:\WINDOWS\system32\msCMTSrv

c.exe (file missing)
O23 - Service: Intel(R) NMS

(NMSSvc) - Intel Corporation

-

C:\WINDOWS\System32\NMSSvc.e

xe
O23 - Service: Norton

Internet Security - Symantec

Corporation - C:\Program

Files\Norton Internet

Security\Engine\16.2.0.7\ccS

vcHst.exe
O23 - Service: NVIDIA Driver

Helper Service (NVSvc) -

NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.

exe

--
End of file - 12845 bytes

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sat Feb 07, 2009 7:25 pm

Hello.
Can't read that, please turn off Word Wrap in Notepad.
This can be found in the Format menu.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Fixed Wordwrap

Post by ba2269 on Sat Feb 07, 2009 8:07 pm

Sorry about that, I thought I disabled it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:24 PM, on 2/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\QUICKENW\QAGENT.EXE
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\RALPH\Desktop\hijackgpthis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\RALPH\Application Data\Mozilla\Profiles\default\r9eiari2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\RALPH\Application Data\Mozilla\Profiles\default\r9eiari2.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QAGENT] C:\PROGRA~1\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\RALPH\LOCALS~1\Temp\app4F1.tmp
O4 - HKLM\..\Run: [PerfectOptimizer] C:\Program Files\Perfect Optimizer\PerfectOptimizer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe [You must be registered and logged in to see this link.]
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1695C611-186A-4355-B777-0D85B325F07F} - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [You must be registered and logged in to see this link.]
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - [You must be registered and logged in to see this link.]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - [You must be registered and logged in to see this link.]
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 12845 bytes

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sat Feb 07, 2009 8:14 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\RALPH\LOCALS~1\Temp\app4F1.tmp
    O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe [You must be registered and logged in to see this link.]
    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
    O4 - Startup: PowerReg Scheduler.exe
    O18 - Filter hijack: text/html - (no CLSID) - (no file)


  • Press "Fix Checked"
  • Close Hijack This.
Lets take a look around.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved dds text part 1

Post by ba2269 on Sat Feb 07, 2009 9:55 pm

DDS (Ver_09-01-07.01) - NTFSx86
Run by RALPH at 15:31:51.14 on Sat 02/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.153 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\QUICKENW\QAGENT.EXE
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RALPH\Desktop\dds.com
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uWindow Title = Microsoft Internet Explorer provided by Compaq
uSearch Bar = [You must be registered and logged in to see this link.]
mSearch Page =
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~2\tools\iesdsg.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.2.0.7\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~2\tools\iesdpb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {014DA6C9-189F-421A-88CD-07CFE51CFF10} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {07AA283A-43D7-4CBE-A064-32A21112D94D} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll
uRun: [Sysres]
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UMonit] c:\windows\system32\umonit.exe
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [QAGENT] c:\progra~1\quickenw\QAGENT.EXE
mRun: [PROMon.exe] PROMon.exe
mRun: [PerfectOptimizer] c:\program files\perfect optimizer\PerfectOptimizer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [CPQEASYACC] c:\program files\compaq\easy access button support\StartEAK.exe
mRun: [CARPService] carpserv.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
mPolicies-explorer: =
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~2\tools\iesdpb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: aol.com\free
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.2.0.7\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli scecli scecli scecli scecli scecli scecli scecli

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved dds text file part 2

Post by ba2269 on Sat Feb 07, 2009 9:56 pm

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ralph\applic~1\mozilla\firefox\profiles\cbfubeo7.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\ralph\application data\mozilla\firefox\profiles\cbfubeo7.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090129.005\IDSxpx86.sys [2009-1-29 276344]
R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2009-1-29 30592]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2009-1-29 51072]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-16 99376]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090206.057\naveng.sys [2009-2-7 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090206.057\navex15.sys [2009-2-7 876112]
R4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2002-8-9 34712]
R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys --> c:\windows\system32\drivers\fixustor.sys [?]
S3 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]

=============== Created Last 30 ================

2009-02-07 13:12 16,939,928 a------- c:\program files\jre-6u12-windows-x64-p.exe
2009-02-05 22:57 0 -------- c:\program files\jre-6u11-windows-i586-p.exe
2009-02-05 22:56 --d----- c:\documents and settings\ralph\.SunDownloadManager
2009-02-03 18:21 a-d----- c:\program files\Norton Support
2009-01-31 20:00 --d----- c:\program files\WSEX Casino
2009-01-29 23:46 51,072 a------- c:\windows\system32\drivers\ikhlayer.sys
2009-01-29 23:46 30,592 a------- c:\windows\system32\drivers\ikhfile.sys
2009-01-29 00:09 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-27 21:20 --d----- c:\docume~1\ralph\applic~1\DisplayTune
2009-01-27 20:45 11,776 a------- c:\windows\system32\drivers\pdiddcci.sys
2009-01-27 20:43 15,920 a------- c:\windows\system32\drivers\PdiPorts.sys
2009-01-27 20:41 --d----- c:\program files\Portrait Displays
2009-01-27 20:41 --d----- c:\program files\common files\Portrait Displays
2009-01-13 12:29 --d----- c:\program files\Perfect Optimizer
2009-01-13 12:26 4,306,836 a------- c:\program files\PerfectOptimizer.exe

==================== Find3M ====================

2009-02-07 14:56 4,768 a------- c:\windows\compaq.reg
2009-02-05 22:57 1,226 a------- c:\program files\jre-6u11-windows-i586-p.exe.sdm
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-26 15:58 68,756,776 a------- c:\program files\iTunesSetup.exe
2008-11-25 16:02 112,221 a------- c:\program files\ZiPhoneWin-3.0.exe
2008-11-25 15:37 23,510,720 a------- c:\program files\dotnetfx.exe
2008-11-24 22:12 19,652,961 a------- c:\program files\InstallSnapfishPluginV3.exe
2008-11-13 09:22 74,171 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-29 11:28 2,017,783 a------- c:\program files\absetup.exe
2008-01-29 21:10 351,272 a------- c:\program files\InstallPlay65.exe
2007-09-29 19:01 6,016,952 a------- c:\program files\Firefox Setup 2.0.0.7.exe
2007-09-29 18:46 5,872,077 a------- c:\program files\netscape-navigator-9.0b3.exe
2007-02-25 16:39 4,212 a------- c:\program files\ReadMe.txt
2007-02-25 16:39 498,376 a------- c:\program files\setup.exe
2007-02-10 13:17 11,352,928 a------- c:\program files\sdsetup.exe
2006-03-08 10:30 4,250,506 a------- c:\program files\HIM - Wings Of A Butterfly.mp3
2006-02-15 14:14 673,360 a------- c:\program files\nsb-setup.exe
2006-02-01 20:53 300,896 a------- c:\program files\Play65.exe
2006-01-28 22:32 587,651 a------- c:\program files\defs.zip
2006-01-12 17:12 10,071,573 a------- c:\program files\kazaaplus.exe
2005-12-14 21:24 10,684,266 a------- c:\program files\WorldPX_Setup.exe
2005-09-12 15:28 578,504 a------- c:\program files\kazaa_setup.exe
2005-02-21 16:36 35,121,138 a------- c:\program files\NIS_Retail.EXE
2005-02-21 16:13 17,873,964 a------- c:\program files\NPM2004tb15.exe
2005-02-21 15:46 45,040 a------- c:\program files\setup2..exe
2005-02-21 15:39 63,488 a------- c:\program files\setup3.exe
2005-02-21 15:39 49,152 a------- c:\program files\setup2.exe
2004-12-27 21:58 63 a------- c:\program files\users.dat
2004-12-14 21:38 1,664 a------- c:\docume~1\ralph\applic~1\ViewerApp.dat
2004-11-04 16:08 589,824 a------- c:\program files\kmd.exe
2004-10-04 14:54 4,354,084 a------- c:\program files\spybotsd13.exe
2004-10-04 14:23 2,636,408 a------- c:\program files\aawsepersonal.exe
2004-10-02 13:30 3,349,760 a------- c:\program files\PokerStarsInstall.exe
2004-07-05 08:38 823,296 a------- c:\program files\winmx353.exe
2004-07-01 17:51 1,694,551 a------- c:\program files\aaw6181.exe
2004-06-19 23:07 2,224,544 a------- c:\program files\191244_ZIP.zip
2004-02-14 12:59 35,942,843 a------- c:\program files\NIS2004.exe
2004-02-08 11:45 490,608 a------- c:\program files\ie6setup.exe
2004-02-08 11:43 2,907,904 a------- c:\program files\Q832894.exe
2003-12-06 11:04 4,952,816 a------- c:\program files\SetupDl.exe
2003-11-05 20:34 488,032 a------- c:\program files\PopUpStopperFree.exe
2003-10-28 01:21 5,777,944 a------- c:\program files\WSEXpoker_setup.exe
2003-02-09 13:12 6,516,168 a------- c:\program files\Morph20.exe
2002-12-30 19:14 77,503 a------- c:\program files\securevault202.zip
2002-12-28 22:53 1,598,163 a------- c:\program files\SplashMoney2.71Installer.exe
2002-12-21 12:16 229,376 a------- c:\program files\SplashMoneyConduit.dll
2002-10-10 20:32 8,981,440 a------- c:\program files\ar505enu.exe
2002-09-03 23:46 784 a------- c:\docume~1\ralph\applic~1\mpauth.dat

============= FINISH: 15:34:43.46 ===============

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sat Feb 07, 2009 10:05 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    fixustor
    msCMTSrvc


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


Last edited by Belahzur on Sat Feb 07, 2009 10:18 pm; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved moveit file

Post by ba2269 on Sat Feb 07, 2009 10:09 pm

========== SERVICES/DRIVERS ==========
Service fixustor stopped successfully.
Service fixustor deleted successfully.
Service msCMTSrvc stopped successfully.
Service msCMTSrvc deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02072009_170841

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sat Feb 07, 2009 10:14 pm

Can you answer my question just above the OTMoveIt instructions.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved ?

Post by ba2269 on Sat Feb 07, 2009 10:16 pm

dont know who's post that was but it wasn't mine.

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sat Feb 07, 2009 10:21 pm

So it was, thanks for letting me know. My mistake. :oops:
I have removed the post.

How is your machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by ba2269 on Sat Feb 07, 2009 10:25 pm

oh no problem. I haven't seen anything different in performance since norton originally detected this virus. Should I run scan again?

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sat Feb 07, 2009 10:27 pm

Go for it, let me know if it comes back clean.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by ba2269 on Sun Feb 08, 2009 2:12 am

the scan still came up with at least one. Scan is still running.

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sun Feb 08, 2009 3:03 pm

Does it say where it's detected them?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by ba2269 on Sun Feb 08, 2009 3:20 pm

It is telling me that there are 2 files that begin with c:\recycler\s-1-5-21-784569582-1974565712-2106517767-1006\dc813\incomplete\t-3545425-theroadtozion.mp3 and one similar to this one. there was a previous result that also showed an infected file in c:\documents and settings\ralph\my documents\limewire and similar endings to the others. I no longer have limewire. thx.

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sun Feb 08, 2009 3:22 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\recycler\s-1-5-21-784569582-1974565712-2106517767-1006\dc813\incomplete
    c:\documents and settings\ralph\my documents\limewire


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by ba2269 on Sun Feb 08, 2009 3:34 pm

========== FILES ==========
c:\recycler\s-1-5-21-784569582-1974565712-2106517767-1006\dc813\Incomplete moved successfully.
File/Folder c:\documents and settings\ralph\my documents\limewire not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02082009_102837
========== FILES ==========
c:\recycler\s-1-5-21-784569582-1974565712-2106517767-1006\dc813\Saved moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02082009_103145
I tried them on both files from the recycler, but the previous scans that showed limewire files could not be found maybe because I no longer have limewire. I deleted after the problems started to happen.

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sun Feb 08, 2009 3:38 pm

The Limewire folder doesn't exist, so don't know how it's finding it there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by ba2269 on Sun Feb 08, 2009 4:25 pm

I have run the scan and it no longer has the risks as unresolved risks and removed them.
woooohoooo. I cant thank you enough for undoing the mess my stupidity has caused. I appreciate the time and patience. I will talk to you again in another forum. I have had problems with my cpu that I would like to run some questions by you. thx again.

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sun Feb 08, 2009 4:32 pm

Hello.

  • Please double-click OTMoveIt3.exe to run it.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt.
  • It will start cleaning now, and will want to reboot after, please allow it to do so.
  • It will make a log of what it has removed, but I don't need to see the log.

CPU questions can be posted in the hardware forum, but I might not be able to help, I know nothing about hardware, hence why I'm here in the software world.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by ba2269 on Sun Feb 08, 2009 4:40 pm

just one last question, what kind of risk have I been exposed to for about a week and should I worry about info compromised. thx again.

ba2269
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-02-06
OS : windows xp
Points : 28665
# Likes : 0

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Belahzur on Sun Feb 08, 2009 4:45 pm

Hello.
Nope, no info was compromised.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: infected with a trojan.brisv.A!inf

Post by Doctor Inferno on Mon Jul 06, 2009 3:16 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104564
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum