Welcome Guest ( Log In | Register )

Forum Announcement

New Registrations disabled until further notice.

Bump TopicClosed TopicRSS feed Start new topic Start Poll

Outline · [ Standard ] · Linear+

> Please help with my HijackThis Log

kelvynlaw
post Oct 20 2007, 11:24 AM, updated 12y ago

New Member
*
Group: Junior Member
Posts: 25

Joined: Feb 2005


hi.. i having a problem that everytime i double click on the disk drive in My Computer, then it opens up a new window
Below is my HijackThis Log:
Thanks in advanced

Logfile of HijackThis v1.99.1
Scan saved at 11:15:12 AM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.routerlogin.net/start.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winboot] wscript.exe /E:vbs C:\WINDOWS\boot.ini
O4 - HKLM\..\Run: [WHITNEY_S2P] C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\.MS32DLL.dll.vbs
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe


SubKi||er
post Oct 20 2007, 11:58 AM

Newbie
******
Group: Senior Member
Posts: 1,654

Joined: Jan 2003
From: Miri City, Sarawak. Mood: Missing someone~



I think you have yourself a VBS script worm. PM Sempurna or sUBs with the link to this thread.
sUBs
post Oct 20 2007, 01:32 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
Download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\boot.ini
C:\WINDOWS\.MS32DLL.dll.vbs


Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/submit-malware.php?channel=4
Please include a link to this topic in the message.

Then post back here to inform me

This post has been edited by sUBs: Oct 20 2007, 01:32 PM
kelvynlaw
post Oct 20 2007, 02:28 PM

New Member
*
Group: Junior Member
Posts: 25

Joined: Feb 2005


thanks for the respond.
sUBs i have sent the archive
sUBs
post Oct 20 2007, 02:44 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
It's called "Worm.VBS.Sasan.a". Kaspersky, NOD32 & AntiVir detects it well.

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    user posted image

  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Added on October 20, 2007, 3:32 pmAfter you have posted the Kaspersky scan report, download & run the updated copy of Flash_Disinfector

This post has been edited by sUBs: Oct 20 2007, 05:05 PM
kelvynlaw
post Oct 20 2007, 04:55 PM

New Member
*
Group: Junior Member
Posts: 25

Joined: Feb 2005


i have just done the scanning.
and this is the report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 20, 2007 4:55:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/10/2007
Kaspersky Anti-Virus database records: 441403
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 55725
Number of viruses found: 1
Number of infected objects: 68
Number of suspicious objects: 0
Duration of the scan process: 00:35:36

Infected Object Name / Virus Name / Last Action
C:\.MS32DLL.dll.vbs Infected: Worm.VBS.Sasan.a skipped
C:\Documents and Settings\All Users\Application Data\McAfee\AntiSpyware\Data\masdata.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\AntiSpyware\Data\masevents.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd001.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Darren Law\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Darren Law\Desktop\requested-files[2007-10-20_14_25].cab/C:/WINDOWS/boot.ini Infected: Worm.VBS.Sasan.a skipped
C:\Documents and Settings\Darren Law\Desktop\requested-files[2007-10-20_14_25].cab/C:/WINDOWS/.MS32DLL.dll.vbs Infected: Worm.VBS.Sasan.a skipped
C:\Documents and Settings\Darren Law\Desktop\requested-files[2007-10-20_14_25].cab CAB: infected - 2 skipped
C:\Documents and Settings\Darren Law\Local Settings\Application Data\ApplicationHistory\cli.exe.c<no spam links>d71.ini.inuse Object is locked skipped
C:\Documents and Settings\Darren Law\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Darren Law\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Darren Law\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Darren Law\Local Settings\Temp\JETBD06.tmp Object is locked skipped
C:\Documents and Settings\Darren Law\Local Settings\Temp\Perflib_Perfdata_98.dat Object is locked skipped
C:\Documents and Settings\Darren Law\Local Settings\Temp\Perflib_Perfdata_fc8.dat Object is locked skipped
C:\Documents and Settings\Darren Law\Local Settings\Temp\Perflib_Perfdata_fd4.dat Object is locked skipped
C:\Documents and Settings\Darren Law\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Darren Law\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Darren Law\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Acer\Acer eConsole\AcerDB.ldb Object is locked skipped
C:\Program Files\Acer\Acer eConsole\AcerDB.mdb Object is locked skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc16.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc17.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc19.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc21.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc23.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc25.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc27.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc29.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc31.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc33.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-1006\Dc35.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-500\Dc1.vbs Infected: Worm.VBS.Sasan.a skipped
C:\RECYCLER\S-1-5-21-2513525011-2520587831-3211879884-500\Dc3.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047253.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047267.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047268.ini Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047284.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047285.ini Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047288.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047323.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047325.ini Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047327.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047359.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047360.ini Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047363.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047382.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047383.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047384.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047385.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047386.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047414.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047415.ini Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047418.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047449.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047450.ini Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047454.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047486.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047487.ini Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047518.ini Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047550.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047551.ini Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047556.vbs Infected: Worm.VBS.Sasan.a skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\change.log Object is locked skipped
C:\WINDOWS\.MS32DLL.dll.vbs Infected: Worm.VBS.Sasan.a skipped
C:\WINDOWS\boot.ini Infected: Worm.VBS.Sasan.a skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\JET4649.tmp Object is locked skipped
C:\WINDOWS\temp\JET6D.tmp Object is locked skipped
C:\WINDOWS\temp\JETABA8.tmp Object is locked skipped
C:\WINDOWS\temp\RMSD8.tmp Object is locked skipped
C:\WINDOWS\temp\RMSD9.tmp Object is locked skipped
C:\WINDOWS\temp\sqlite_bc38xZg6eZ1zgdG Object is locked skipped
C:\WINDOWS\temp\sqlite_idVjXkvMFvljeqV Object is locked skipped
C:\WINDOWS\temp\sqlite_IMw2mOT33bmfrpp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047255.vbs Infected: Worm.VBS.Sasan.a skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047291.vbs Infected: Worm.VBS.Sasan.a skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047330.vbs Infected: Worm.VBS.Sasan.a skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047366.vbs Infected: Worm.VBS.Sasan.a skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047387.vbs Infected: Worm.VBS.Sasan.a skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047388.vbs Infected: Worm.VBS.Sasan.a skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047389.vbs Infected: Worm.VBS.Sasan.a skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047421.vbs Infected: Worm.VBS.Sasan.a skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047457.vbs Infected: Worm.VBS.Sasan.a skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\change.log Object is locked skipped
D:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP200\A0047558.vbs Infected: Worm.VBS.Sasan.a skipped
D:\Recycled\Dd1.vbs Infected: Worm.VBS.Sasan.a skipped
D:\Recycled\Dd3.vbs Infected: Worm.VBS.Sasan.a skipped
D:\Recycled\Dd5.vbs Infected: Worm.VBS.Sasan.a skipped
D:\Recycled\Dd7.vbs Infected: Worm.VBS.Sasan.a skipped
D:\Recycled\Dd9.vbs Infected: Worm.VBS.Sasan.a skipped
D:\Recycled\Dd11.vbs Infected: Worm.VBS.Sasan.a skipped
D:\Recycled\Dd13.vbs Infected: Worm.VBS.Sasan.a skipped
D:\Recycled\Dd16.vbs Infected: Worm.VBS.Sasan.a skipped
D:\Recycled\Dd18.vbs Infected: Worm.VBS.Sasan.a skipped
D:\.MS32DLL.dll.vbs Infected: Worm.VBS.Sasan.a skipped

Scan process completed.

edit: added the text file attachment

This post has been edited by kelvynlaw: Oct 20 2007, 04:56 PM


Attached File(s)
Attached File  Kaspersky_Scan.txt ( 29.02k ) Number of downloads: 1
sUBs
post Oct 20 2007, 04:57 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
Have you ran Flash_Disinfector?
kelvynlaw
post Oct 20 2007, 05:04 PM

New Member
*
Group: Junior Member
Posts: 25

Joined: Feb 2005


may i know where to get it? cuz i try the link provided it seems not working.
sUBs
post Oct 20 2007, 05:07 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
I fixed the link. Try it now.

If you have any pendrives, attach them to the machine when you run F_Disinfector. If you have multiple pendrives, you may need to run F-Disinfector several times.
kelvynlaw
post Oct 20 2007, 05:09 PM

New Member
*
Group: Junior Member
Posts: 25

Joined: Feb 2005


how about handphone and camera memory cards?
sUBs
post Oct 20 2007, 05:11 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
If they were plugged in when you got infected, there's every chance those cards are infected too.
kelvynlaw
post Oct 20 2007, 05:14 PM

New Member
*
Group: Junior Member
Posts: 25

Joined: Feb 2005


i have run it four times, cuz i plugged in two pendrives and two memory cards
sUBs
post Oct 20 2007, 05:17 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
Your machine is now disinfected. Just one final step to perform.

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
kelvynlaw
post Oct 20 2007, 05:20 PM

New Member
*
Group: Junior Member
Posts: 25

Joined: Feb 2005


hmm i have tick it, apply then untick it again. so what do i need to do next?
sUBs
post Oct 20 2007, 05:24 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
QUOTE
so what do i need to do next?


Does your machine still have problems?
kelvynlaw
post Oct 20 2007, 05:28 PM

New Member
*
Group: Junior Member
Posts: 25

Joined: Feb 2005


oh yeah.. its ok now. thank you very much

sorry for asking this, erm on my another pc when i was trying to open certain page it close instantly. i tried in using firefox and internet explorer both also having the same problem.
sUBs
post Oct 20 2007, 05:30 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
QUOTE
on my another pc when i was trying to open certain page it close instantly. i tried in using firefox and internet explorer both also having the same problem.

You have to be detailed when describing the problem. What page? What closes down?
kelvynlaw
post Oct 20 2007, 05:31 PM

New Member
*
Group: Junior Member
Posts: 25

Joined: Feb 2005


this is one of the url i visited and the problem come out
http://www.wowhead.com/?spells=7.11

the web browser closes down.
sUBs
post Oct 20 2007, 05:39 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
What version of FF/IE do you have?

That does not sound like a malware related issue. Nevertheless show me a Hijackthis log from that machine
kelvynlaw
post Oct 20 2007, 05:51 PM

New Member
*
Group: Junior Member
Posts: 25

Joined: Feb 2005


my ff version is 2.0.0.7
ie is 6.0

and this is the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:50:38 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\CourseFolder\xampp\apache\bin\apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\CourseFolder\xampp\FileZillaFTP\FileZillaServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\CourseFolder\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
E:\CourseFolder\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kelvyn Law\Desktop\HijackThis.exe

O1 - Hosts: 70.87.69.74 63.216.32.69
O1 - Hosts: 24.23.38.160 61.152.116.62
O1 - Hosts: 69.80.225.31 nprotect.ryl.com.my
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush0.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WHITNEY_S2P] C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\.MS32DLL.dll.vbs
O4 - HKLM\..\Run: [winboot] wscript.exe /E:vbs C:\WINDOWS\boot.ini
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Camera Software\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: OE?1oIi - {FFB2385E-E812-4091-8C12-2370DC67F769} - http://www.eachnet.com/specials/digi.html?..._000_soft0_digi (file missing)
O15 - Trusted Zone: http://ad.32666.com
O15 - Trusted Zone: http://www.32666.com
O15 - Trusted Zone: http://www.4570658.com
O15 - Trusted Zone: http://jm.97779.com
O15 - Trusted Zone: http://u.vlog365.com
O15 - Trusted Zone: http://www.ycdy.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - E:\CourseFolder\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - E:\CourseFolder\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: mysql - Unknown owner - E:\CourseFolder\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceJsHelp - Unknown owner - C:\WINDOWS\system32\playasp.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe



2 Pages  1 2 >Top
Bump TopicClosed TopicTopic OptionsStart new topic
 

Switch to:
| Lo-Fi Version
0.0947sec    1.11    6 queries    GZIP Disabled
Time is now: 18th December 2018 - 04:19 AM