Member Panel

I really don't think my computer wants to play! I tried running the scan, but Avast seems to have detected this nasty file within it:

acs.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL

so I had to abort and can't finish running it!

what did it say? the error message, I mean. Also, rename hjt.exe to something like puppy.exe and run it again, please. Something is fishy here. I need to see what's on your machine, so I may be asking you to run some other stuff in the very near future.

Thanks for you patience,

v

OK, when I try to run the Panda scan, when it gets to about 50% an Avast warning pops up saying "A Virus Was Found' avast has stopped the malware before it could enter yoru computer..... "

Its malware name - Win32:CTX

And it prompts me to abort the connection so that the download of the dangerous file will be cancelled.

I've renamed the hijackthis.exe file and re-run it - I've attached the updated logfile

let's try this one, if this doesn't work we'll move to the root kits.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

thanks,

v

Thanks, I'm currently running the Dr Web scanner - the express scan didn't pick up anything .. but before that I'd set Avast to scan again, and it did pick up a trojan named win32:zapchast-z (trj) located in

c:\system volume information\_restore{3d3d/..........\close.dll

I tried to put put it in Avast's chest, but it came up with an error message at the end, saying "an error occurred during moving file to chest. The operation is not supported by this type of archive"

Is it safe to try to delete this file instead?

**EDIT**

The scan also picked up the same trojan. It didn't automatically ask if I wanted to cure or move the infected file - it says its incurable, so would i need to move or delete it? I've saved the report to my desktop.

let's try this one....getting closer, at least.

Please download SUPERAntiSpyware Home Edition (free version)

• Install it and double-click the icon on your desktop to run it.
• It will ask if you want to update the program definitions, click Yes.
• Under Configuration and Preferences, click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
• On the main screen, under Scan for Harmful Software click Scan your computer.
• On the left check C:\Fixed Drive.
• On the right, under Complete Scan, choose Perform Complete Scan.
• Click Next to start the scan. Please be patient while it scans your computer.
• After the scan is complete a summary box will appear. Click OK.
• Make sure everything in the white box has a check next to it, then click Next.
• It will quarantine what it found and if it asks if you want to reboot, click Yes.
• To retrieve the removal information for me please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your desktop.
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Please highlight everything in the notepad, then right-click and choose copy.
• Click close and close again to exit the program.

Please paste that information here for me with a new HijackThis log.

OK, here's the log from Super Antispyware:

SUPERAntiSpyware Scan Log
Generated 02/21/2007 at 07:23 PM

Application Version : 3.5.1016

Core Rules Database Version : 3186
Trace Rules Database Version: 1196

Scan type : Complete Scan
Total Scan Time : 01:07:08

Memory items scanned : 435
Memory threats detected : 0
Registry items scanned : 5405
Registry threats detected : 28
File items scanned : 57878
File threats detected : 1

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet002\Services\oreans32
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORE ANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Ty pe
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#St art
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Er rorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Im agePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Di splayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Se curity
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Se curity#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\En um
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\En um#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\En um#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\En um#NextInstance

And the new hijackthis log is attached!