Script Virus problem

View previous topic View next topic Go down

Script Virus problem

Post by arunvss on Tue May 26, 2009 6:05 am

Hi,

I am a web designer. Recently i have uploded two sites but it is not loading correctly in web server. it is working fine in my pc. our hosting people said my files infected with script viruses. how can i remove this? plz help me?

arunvss
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-26
OS OS : XP
Points Points : 27518
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Script Virus problem

Post by Doctor Inferno on Tue May 26, 2009 9:31 am

Hello arunvss, welcome to GeekPolice.

Please read this: [You must be registered and logged in to see this link.]

And post your HijackThis log here.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Script Virus problem

Post by Origin on Wed May 27, 2009 12:54 am

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Hijack this log file

Post by arunvss on Wed May 27, 2009 12:35 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:08 PM, on 27-05-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAMS\FGUARD\FGKey.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\FlashGet\flashget.exe
C:\WFXSWTCH.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Documents and Settings\Arun.INTIME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Opera 9\Opera.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O4 - HKLM\..\Run: [FG_Monitor] C:\PROGRAMS\FGUARD\FGKey.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [WFXSwtch] \WFXSWTCH.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [FreeCall] "C:\Program Files\FreeCall.com\FreeCall\FreeCall.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Arun.INTIME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 8643 bytes

arunvss
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-26
OS OS : XP
Points Points : 27518
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Script Virus problem

Post by Origin on Thu May 28, 2009 1:08 am


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.




Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Script Virus problem

Post by arunvss on Thu May 28, 2009 7:16 am

Malwarebytes' Anti-Malware 1.37
Database version: 2186
Windows 5.1.2600 Service Pack 3

28-05-2009 11:16:23 AM
mbam-log-2009-05-28 (11-16-23).txt

Scan type: Quick Scan
Objects scanned: 185364
Time elapsed: 19 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\Arun\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Arun\application data\getmodule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Arun\application data\getmodule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Arun\application data\getmodule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.Data) -> Quarantined and deleted successfully.
c:\documents and settings\Arun\favorites\Cheap Software.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\Arun\favorites\MP3 Download.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\Arun\favorites\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\Arun\favorites\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\Arun\favorites\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\Arun\Favorites\SMS TRAP.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System\Uninstall\Uninstall A360.lnk (Rogue.av360) -> Quarantined and deleted successfully.

arunvss
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-26
OS OS : XP
Points Points : 27518
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Script Virus problem

Post by Belahzur on Fri May 29, 2009 3:04 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Script Virus problem

Post by arunvss on Sun May 31, 2009 6:06 am

DDS (Ver_09-05-14.01) - NTFSx86
Run by Arun at 10:03:49.87 on 31-05-2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1525.954 [GMT 4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRAMS\FGUARD\FGKey.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WFXSWTCH.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Documents and Settings\Arun.INTIME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Voice2Clear\Voice2Clear\Voice2Clear.exe
C:\WINDOWS\system32\rsvp.exe
C:\Documents and Settings\Arun.INTIME\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [Google Update] "c:\documents and settings\arun.intime\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Yahoo Messenger]
mRun: [FG_Monitor] c:\programs\fguard\FGKey.exe /Start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Flashget] c:\program files\flashget\flashget.exe /min
mRun: [WFXSwtch] \WFXSWTCH.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 Copystar;Copystar;c:\windows\system32\drivers\copystar.sys [2002-6-1 82400]
R2 713xTVCard;SAA7130 TV Card;c:\windows\system32\drivers\SAA713x.sys [2009-3-3 279552]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 FGUARD32;FGUARD32;c:\programs\fguard\FGUARD32.SYS [2009-5-6 54480]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-5-20 331312]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 WDMTVTuner;Universal WDM TV Tuner;c:\windows\system32\drivers\WDMTuner.sys [2009-3-3 25984]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-9 101936]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\HssDrv.sys [2009-5-20 33840]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090530.017\NAVENG.SYS [2009-5-31 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090530.017\NAVEX15.SYS [2009-5-31 876144]
R3 PAC7311;PLEOMAX PWC-2100 Pleo Chat Cam ;c:\windows\system32\drivers\PA707UCM.SYS [2007-3-14 449024]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-5-21 34352]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-4-20 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-4-20 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-4-20 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-4-20 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-4-20 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-4-20 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-4-20 115752]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-5-9 1251720]

=============== Created Last 30 ================

2009-05-28 19:51 --d----- c:\program files\Voice2Clear
2009-05-28 10:53 --d----- c:\docume~1\arun~1.int\applic~1\Malwarebytes
2009-05-28 10:53 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 10:53 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-28 10:53 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 10:53 --d----- c:\docume~1\alluse~2.win\applic~1\Malwarebytes
2009-05-27 16:37 --d----- c:\program files\Trend Micro
2009-05-27 10:14 41,984 a------- c:\windows\system32\ImpulseCheckBox.oca
2009-05-27 10:14 15,872 a------- c:\windows\system32\ImpulseSplashScreen.oca
2009-05-27 10:14 79,872 a------- c:\windows\system32\ImpulseButton.oca
2009-05-27 10:14 44,032 a------- c:\windows\system32\ImpulseFrame.oca
2009-05-27 10:14 37,376 a------- c:\windows\system32\ImpulseOptionButton.oca
2009-05-27 10:14 33,792 a------- c:\windows\system32\ImpulseAniLabel.oca
2009-05-27 10:13 --d----- c:\program files\Ingenuware
2009-05-25 23:25 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-05-25 23:25 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-05-25 23:25 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-05-25 23:25 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-05-24 23:41 1,365 a------- c:\windows\_isenv31.ini
2009-05-24 23:41 521 a------- c:\windows\_iserr31.ini
2009-05-24 18:59 --d----- C:\Hotspot Shield
2009-05-24 14:14 --d----- c:\program files\Data Doctor Bulk SMS (Demo)
2009-05-21 03:23 221,184 a------- c:\windows\system32\wmpns.dll
2009-05-20 23:54 33,840 a------- c:\windows\system32\drivers\HssDrv.sys
2009-05-19 00:44 --d----- c:\program files\Hotspot Shield
2009-05-18 14:43 --d----- c:\docume~1\alluse~2.win\applic~1\Azureus
2009-05-18 14:42 --d----- c:\docume~1\arun~1.int\applic~1\Azureus
2009-05-17 21:56 --d----- C:\pebuilder3110a
2009-05-17 21:50 --d----- C:\DriveKey
2009-05-16 21:29 --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2009-05-16 21:29 --d----- c:\program files\VideoLAN
2009-05-16 21:26 --d----- c:\program files\Graboid
2009-05-15 20:54 --d----- c:\docume~1\arun~1.int\applic~1\XnView
2009-05-15 20:50 --d----- c:\program files\XnView
2009-05-14 11:47 --d----- c:\program files\Easy Uploader
2009-05-09 15:50 --d----- c:\program files\Veoh Networks
2009-05-09 11:00 --d----- c:\program files\Norton AntiVirus
2009-05-09 11:00 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-09 11:00 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-05-09 11:00 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-09 11:00 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-07 08:59 --d----- c:\windows\system32\KB905474
2009-05-06 11:25 --d----- c:\docume~1\arun~1.int\applic~1\Folder Guard
2009-05-06 11:22 --d----- C:\PROGRAMS
2009-05-04 15:12 0 a------- C:\71.tmp

==================== Find3M ====================

2009-04-15 14:53 921,632 a------- C:\PA7311.DAT
2009-04-11 12:04 201,828 a---h--- c:\windows\system32\mlfcache.dat
2009-03-13 10:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-07 09:10 2,678 a------- c:\windows\java\packages\data\C6GH3XRH.DAT
2009-03-07 09:10 2,678 a------- c:\windows\java\packages\data\BJLZFRHJ.DAT
2009-03-07 09:10 2,678 a------- c:\windows\java\packages\data\7HN1FFV7.DAT
2009-03-07 09:10 2,678 a------- c:\windows\java\packages\data\1BVRRDBB.DAT
2009-03-06 18:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 08:42 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-03 09:34 110,055 a------- c:\windows\hpoins08.dat
2009-03-03 08:28 315,392 a------- c:\windows\HideWin.exe
2009-03-03 08:07 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 10:04:12.50 ===============

arunvss
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-26
OS OS : XP
Points Points : 27518
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Script Virus problem

Post by Belahzur on Sun May 31, 2009 12:48 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Java(TM) 6 Update 12

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\docume~1\alluse~2.win\applic~1\Azureus
    c:\docume~1\arun~1.int\applic~1\Azureus
    C:\71.tmp


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Script Virus problem

Post by arunvss on Mon Jun 01, 2009 3:37 am

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 06012009_073451

arunvss
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-26
OS OS : XP
Points Points : 27518
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Script Virus problem

Post by Belahzur on Mon Jun 01, 2009 1:57 pm

Hello.
I think you missed :files as the top line in the script.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

OTMoveIt3 log

Post by arunvss on Mon Jun 01, 2009 2:34 pm

========== FILES ==========
c:\docume~1\alluse~2.win\applic~1\Azureus moved successfully.
c:\docume~1\arun~1.int\applic~1\Azureus\tmp moved successfully.
c:\docume~1\arun~1.int\applic~1\Azureus\shares moved successfully.
c:\docume~1\arun~1.int\applic~1\Azureus\plugins\azupnpav moved successfully.
c:\docume~1\arun~1.int\applic~1\Azureus\plugins moved successfully.
c:\docume~1\arun~1.int\applic~1\Azureus\net moved successfully.
c:\docume~1\arun~1.int\applic~1\Azureus\logs moved successfully.
c:\docume~1\arun~1.int\applic~1\Azureus\dht moved successfully.
c:\docume~1\arun~1.int\applic~1\Azureus\active moved successfully.
c:\docume~1\arun~1.int\applic~1\Azureus moved successfully.
C:\71.tmp moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 06012009_183250

arunvss
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-26
OS OS : XP
Points Points : 27518
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Script Virus problem

Post by Belahzur on Mon Jun 01, 2009 3:13 pm

Hello. Fix this leftover.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


  • Press "Fix Checked"
  • Close Hijack This.

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "This release is Windows 7 support-ready and includes support for Internet Explorer 8...".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe that you downloaded to install the newest version.

We can remove OTMoveIt now.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum