Members
Stats
  • Total Posts: 28531
  • Total Topics: 8240
  • Online Today: 928
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: hit by Hakaglan  (Read 10644 times)

0 Members and 1 Guest are viewing this topic.

beldeti

  • SCF Member
  • **
  • Posts: 15
  • KARMA: 2
hit by Hakaglan
« on: 27. October 2007., 05:17:19 »
Greetings all, I googled for Hakaglan fixes and I was referred to this site. 

My updated Bit Defender has failed to move and disinfect the infected files, and I have downloaded a 30-day trial for X-Cleaner.

Am still downloading Kaspersky to give it a try.  In the meantime, I'll paste my Hijack This log for your expert opinions.  Please be gentle, this is my first post   :angel:

Thanks to all in advance! ;D\

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:06 PM, on 10/27/2007
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\SSCVIIHOST.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\SSCVIIHOST.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\danty\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe SSCVIIHOST.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIIHOST.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIIHOST.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Asp.de - Unknown owner - (no file)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9000 bytes

Samker's Computer Forum - SCforum.info

hit by Hakaglan
« on: 27. October 2007., 05:17:19 »




Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: hit by Hakaglan
« Reply #1 on: 27. October 2007., 08:54:54 »
Hi Beledeti and Welcome to SCF Community!  :)

We are here to help you and will do our best to resolve this problem.

Since you are already provide us HJT log, I will ask from you to provide us also Logs from Online Antivirus Scans:

Kaspersky: http://scforum.info/index.php/topic,744.0.html

McAfee: http://scforum.info/index.php/topic,745.0.html


Until you provide us desired information, We will analyze your HJT log in the next few hours.


Don't worry We will fix this.  ;)

Regards,

Samker

beldeti

  • SCF Member
  • **
  • Posts: 15
  • KARMA: 2
Re: hit by Hakaglan
« Reply #2 on: 27. October 2007., 10:14:32 »
Many thanks for the welcome and the help!

Here's the log of the Kasperspy Online scan:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Sunday, October 28, 2007 12:33:11 AM
 Operating System: Microsoft Windows XP Professional, Service Pack 2, v.2082 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 27/10/2007
 Kaspersky Anti-Virus database records: 419645
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - Critical Areas:
   C:\WINDOWS
   C:\DOCUME~1\danty\LOCALS~1\Temp\

Scan Statistics:
   Total number of scanned objects: 13070
   Number of viruses found: 2
   Number of infected objects: 4
   Number of suspicious objects: 0
   Duration of the scan process: 01:05:20

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\OSession.evt   Object is locked   skipped
C:\WINDOWS\system32\config\ODiag.evt   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SOFTWARE   Object is locked   skipped
C:\WINDOWS\system32\config\SYSTEM   Object is locked   skipped
C:\WINDOWS\system32\config\DEFAULT   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\drivers\sptd.sys   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
C:\WINDOWS\system32\autorun.ini   Infected: Trojan.Win32.AutoRun.a   skipped
C:\WINDOWS\system32\SSCVIIHOST.exe   Infected: Trojan-Downloader.Win32.AutoIt.aa   skipped
C:\WINDOWS\system32\blastclnnn.exe   Infected: Trojan-Downloader.Win32.AutoIt.aa   skipped
C:\WINDOWS\system32\bdss.log   Object is locked   skipped
C:\WINDOWS\Temp\tmp00001c8a\tmp00000000   Object is locked   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SSCVIIHOST.exe   Infected: Trojan-Downloader.Win32.AutoIt.aa   skipped
C:\WINDOWS\Sti_Trace.log   Object is locked   skipped
C:\WINDOWS\wiaservc.log   Object is locked   skipped
C:\WINDOWS\wiadebug.log   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{38AF09BC-A127-46FA-9567-C99552A65A4E}.bin   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb   Object is locked   skipped
C:\DOCUME~1\danty\LOCALS~1\Temp\~DFC23A.tmp   Object is locked   skipped

Scan process completed.

beldeti

  • SCF Member
  • **
  • Posts: 15
  • KARMA: 2
Re: hit by Hakaglan
« Reply #3 on: 27. October 2007., 10:19:48 »
I'm not sure which log you're requesting me to post, so I'll put in the memory scan log:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Sunday, October 28, 2007 12:41:14 AM
 Operating System: Microsoft Windows XP Professional, Service Pack 2, v.2082 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 27/10/2007
 Kaspersky Anti-Virus database records: 419645
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - Memory:

Scan Statistics:
   Total number of scanned objects: 1610
   Number of viruses found: 1
   Number of infected objects: 2
   Number of suspicious objects: 0
   Duration of the scan process: 00:01:50

Infected Object Name / Virus Name / Last Action
[880] SSCVIIHOST.exe => C:\WINDOWS\system32\SSCVIIHOST.exe   Infected: Trojan-Downloader.Win32.AutoIt.aa   skipped
[2232] SSCVIIHOST.exe => C:\WINDOWS\system32\SSCVIIHOST.exe   Infected: Trojan-Downloader.Win32.AutoIt.aa   skipped

Scan process completed.

to be continued in a few hours, as it's 2am already here  :D

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: hit by Hakaglan
« Reply #4 on: 27. October 2007., 17:22:17 »
Hi again Beldeti,

it's look like we have "hard" infection here but don't worry I think that we will together resolve this with success. :police:

Now we will clean this in few "steps" and this is first one, please follow my instruction exactly as I "said" and if you don't understand something please ask for additional explanation:

1. Turn of System Restore (this is most important).
Quote
Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.

2. Update your Bit Defender AntiVirus.

3. Restart your PC and run again in Safe Mode. Instruction:
Quote
To start the computer in safe mode
1.
You should print these instructions before continuing. They will not be available after you shut your computer down in step 2.

2.
Click Start and then click Shut Down.

3.
In the drop-down list of the Shut Down Windows dialog box, click Restart, and then click OK.

4.
As your computer restarts but before Windows launches, press F8. 
On a computer that is configured for booting to multiple operating systems, you can press F8 when the boot menu appears.

5.
Use the arrow keys to highlight the appropriate safe mode option, and then press ENTER.

6.
If you have a dual-boot or multiple-boot system, choose the installation that you need to access using the arrow keys, and then press ENTER.


Note•
If Windows launches before you can choose a safe mode, restart your computer and try again.

In safe mode, you have access to only basic files and drivers (mouse, monitor, keyboard, mass storage, base video, default system services, and no network connections). You can choose the Safe Mode with Networking option, which loads all of the above files and drivers and the essential services and drivers to start networking, or you can choose the Safe Mode with Command Prompt option, which is exactly the same as safe mode except that a command prompt is started instead of the graphical user interface. You can also choose Last Known Good Configuration, which starts your computer using the registry information that was saved at the last shutdown.

Safe mode helps you diagnose problems. If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use safe mode to remove the device or reverse the change.

There are circumstances where safe mode will not be able to help you, such as when Windows system files that are required to start the system are corrupted or damaged. In this case, the Recovery Console may help you.

NUM LOCK must be off before the arrow keys on the numeric keypad will function.

4. Run again Full Scan - Bit Defender AV

5. After that again Kaspersky Online Scan

6. After that HijackThis (it's important to before running HJT turn of all possible programs)

7. Provide us log from both (Kaspersky and HJT)


I'll be waiting your next replay.  ;)


Regards,

Samker

beldeti

  • SCF Member
  • **
  • Posts: 15
  • KARMA: 2
Re: hit by Hakaglan
« Reply #5 on: 27. October 2007., 19:30:48 »
Thanks for the prompt reply.

I'd like to clarify though, will I run steps 4 to 7 in Safe Mode? Or do I switch back to Normal Mode in between these numbers/steps?

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: hit by Hakaglan
« Reply #6 on: 27. October 2007., 22:53:03 »
Quote
I'd like to clarify though, will I run steps 4 to 7 in Safe Mode? Or do I switch back to Normal Mode in between these numbers/steps?


For cleaning & scanning is always better Safe Mode!  ;)

Try to run only 4. in Safe Mode (Full Scan), most important is to run that Scan (in Safe mode or in "Normal Mode").

I say try because I'm not familiar to much with BitDefender.




beldeti

  • SCF Member
  • **
  • Posts: 15
  • KARMA: 2
Re: hit by Hakaglan
« Reply #7 on: 28. October 2007., 02:04:59 »
I can't run BitDefender in Safe Mode.  A message pops up saying "Failed to launch VirusShield," and that I have to mail support@bitdefender.com about it. 

I've been able to run Kasperspy in Safe Mode though, and the log is below:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Sunday, October 28, 2007 10:50:42 AM
 Operating System: Microsoft Windows XP Professional, Service Pack 2, v.2082 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 28/10/2007
 Kaspersky Anti-Virus database records: 419745
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - Critical Areas:
   C:\WINDOWS
   C:\DOCUME~1\danty\LOCALS~1\Temp\

Scan Statistics:
   Total number of scanned objects: 13069
   Number of viruses found: 2
   Number of infected objects: 4

   Number of suspicious objects: 0
   Duration of the scan process: 00:17:03

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\OSession.evt   Object is locked   skipped
C:\WINDOWS\system32\config\ODiag.evt   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SOFTWARE   Object is locked   skipped
C:\WINDOWS\system32\config\SYSTEM   Object is locked   skipped
C:\WINDOWS\system32\config\DEFAULT   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\drivers\sptd.sys   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\autorun.ini   Infected: Trojan.Win32.AutoRun.a   skipped
C:\WINDOWS\system32\SSCVIIHOST.exe   Infected: Trojan-Downloader.Win32.AutoIt.aa   skipped
C:\WINDOWS\system32\blastclnnn.exe   Infected: Trojan-Downloader.Win32.AutoIt.aa   skipped

C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\CSC\00000001   Object is locked   skipped
C:\WINDOWS\SSCVIIHOST.exe   Infected: Trojan-Downloader.Win32.AutoIt.aa   skipped

Scan process completed.


I was doing a full scan of hard drives, 50% in already, 2+ hours, when we had a power interruption :(

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: hit by Hakaglan
« Reply #8 on: 28. October 2007., 05:11:34 »
Quote
I was doing a full scan of hard drives, 50% in already, 2+ hours, when we had a power interruption

So sorry about that, but you will need first to make Full Scan and after that provide us a Kaspersky & HJT (HijackThis) logs because it's important information for us what BitDefender "say" about infection and why clean/delete action failed.

Don't forget to first Turn Of System Restore and update Bitdefender.  ;)

I'll wait your answer.

Samker


beldeti

  • SCF Member
  • **
  • Posts: 15
  • KARMA: 2
Re: hit by Hakaglan
« Reply #9 on: 28. October 2007., 05:20:36 »
Yep, System Restore is already off and BitDefender is updated :smile:

Hope we won't have power interruptions tonight so I can make the full scan and complete it this time heheh

So Full Scan on Safe Mode, then Kaspersky and HJT scans afterwards.  Will send logs when I'm done. :)


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising