Tech Support Forum - View Single Post

ggb · 05-20-2005, 08:13 PM

Thanks a lot!

After following your instructions, it seems the Win Min problem has been solved, this is the analyzation

Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 18:44:16, on 20-5-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
D:\Program\Winamp3\Winampnew\winampa.exe
D:\Program\weernieuwespyware\AVGNT.EXE
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
D:\My Downloads\Spyware Doctor\swdoctor.exe
C:\Program Files\Casema SnelHelp\bin\mpbtn.exe
D:\Program\weernieuwespyware\AVGUARD.EXE
D:\Program\weernieuwespyware\AVWUPSRV.EXE
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
D:\Program\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://klant.casema.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://klant.casema.nl/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\MYDOWN~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\MYDOWN~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program\Winamp3\Winampnew\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] "D:\Program\weernieuwespyware\AVGNT.EXE" /min
O4 - HKLM\..\Run: [THGuard] "D:\My Downloads\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\My Downloads\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Casema SnelHelp.lnk = C:\Program Files\Casema SnelHelp\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program\Nieuwe map\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Program\NIEUWE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\MYDOWN~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/097fe471...p/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\Program\weernieuwespyware\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Program\weernieuwespyware\AVWUPSRV.EXE
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Concerning the trojans, this is the result of TD53

This is the TD53 logfile

18:56:38 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
18:56:38 [Init] Started 20-05-05 18:56:38 West-Europa (standaardtijd) (UTC: -1), Internet Time @747,66
18:56:38 [Init] Loading TDS-3 Systems ...
18:56:38 [Init] Token successfully adjusted.
18:56:38 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
18:56:38 [Init] • Plugins : OK. Loaded 13
18:56:38 [Init] • Exec Protection : Not Installed
18:56:38 [Init] WARNING: Your Radius.TD3 database needs to be updated!
18:56:38 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
18:56:38 [Init] Licensed users can use the Update facility from the TDS menu
18:56:38 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
18:56:42 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
18:56:42 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
18:56:42 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
18:56:42 [Init] TDS-3 Ready. <Flo@83.83.36.133, 127.0.0.1 - Nederland>
18:56:42 [Tip Of The Day] When using the TCP Connect or UDP Broadcast utilities, you can access the full ASCII character set by typing $$char$$, for example: Hello$$13$$$$10$$ <- The $$13$$$$10$$ bit would be replaced with Chr$(13) and Chr$(10) (carriage return & line-feed respectively)
18:56:42 [TDS] Good evening Flo. What time do you finish work tonight?
18:56:45 [Mutex Memory Scan] Started...
18:56:46 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:56:46 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
18:57:06 [CRC32] Started - verifying 29 files ...
18:57:07 [CRC32] File doesn't exist: C:\autoexec.bat
18:57:09 [CRC32] Test finished.
18:57:48 [Memory Scan] Memory scan started, please wait a moment ...
18:57:49 [Memory Scan] Memory scan complete.
18:57:49 [Mutex Memory Scan] Started...
18:57:51 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:57:51 [Trace Scan] Started...
18:57:56 [Trace Scan] Finished.
18:57:56 [ServiceScan] Scanning for services and drivers ...
18:58:07 [Locked File] Couldn't open c:\windows\svcproc.exe for read access, file is locked
18:58:08 [ServiceScan] Scanned 274 services and drivers.
18:58:08 [File Scan] Scanning in A:\ ...
18:58:09 [File Scan] Scanned 0 files: 0 alarms in 1,1875 seconds (Avg 1, files/sec)
18:58:09 [File Scan] Scanning in C:\ ...
19:00:55 [Locked File] Couldn't open c:\windows\dstart51.exe for read access, file is locked
19:00:56 [Locked File] Couldn't open c:\windows\dstart52.exe for read access, file is locked
19:00:57 [Locked File] Couldn't open c:\windows\dstart61.exe for read access, file is locked
19:00:57 [Locked File] Couldn't open c:\windows\dstart62.exe for read access, file is locked
19:01:13 [Locked File] Couldn't open c:\windows\svcproc.exe for read access, file is locked
19:04:07 [Locked File] Couldn't open c:\windows\downloaded program files\f10213.exe for read access, file is locked
19:05:14 [Locked File] Couldn't open c:\windows\isrvs\edmond.exe for read access, file is locked
23:21:34 [TDS] Good evening Flo.
23:32:33 [File Scan] Scanned 19232 files: 2 alarms in 16462,23 seconds (Avg 2,17 files/sec)
23:32:35 [File Scan] Scanning in D:\ ...
23:58:02 [File Scan] Scanned 33941 files: 356 alarms in 1526,891 seconds (Avg 23,23 files/sec)
23:58:02 [File Scan] Scanning in E:\ ...
23:58:02 [File Scan] Scanned 0 files: 356 alarms in 0,015625 seconds (Avg 1, files/sec)
23:58:02 [File Scan] Scanning in F:\ ...
23:58:02 [File Scan] Scanned 0 files: 356 alarms in 0 seconds (Avg -1,#IND files/sec)
23:58:02 [Scan] Finished.

The alarms are posted here:

Scan Control Dumped @ 03:56:51 21-05-05
Suspicious Filename: HTA file in suspicious location
File: c:\d25c119d.hta

Positive identification: Pornware.Dialer.Star.e
File: c:\windows\p2p[p2p-10116,de,1].exe

Positive identification: Trojan.Win32.Likes
File: d:\program\weernieuwespyware\infected\a0056788.exe.vir

Positive identification: Trojan.Win32.Likes
File: d:\program\weernieuwespyware\infected\a0056789.exe.vir

Positive identification: Trojan.Win32.Likes
File: d:\program\weernieuwespyware\infected\a0056790.exe.vir

Positive identification: Trojan.Win32.Likes
File: d:\program\weernieuwespyware\infected\a0056795.exe.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\a0056796.dll.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\a0056797.dll.vir

Positive identification: Trojan.Win32.Likes
File: d:\program\weernieuwespyware\infected\a0060514.exe.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\a0062515.dll.vir

Positive identification: Trojan.Win32.Likes
File: d:\program\weernieuwespyware\infected\a0062516.exe.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\a0062876.dll.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\a0063915.dll.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\a0063916.dll.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\a0063974.dll.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\a0063975.dll.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.002

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.003

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.004

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.005

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.006

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.007

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.008

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.009

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.010

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.011

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.012

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.013

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.014

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.015

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.016

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.017

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.018

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.019

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.020

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.021

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.022

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.023

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.024

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.025

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.026

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.027

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.028

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.029

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.030

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.bin.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.dll.002

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.dll.003

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.dll.004

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.dll.005

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.dll.006

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.dll.007

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.dll.008

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.dll.vir

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.002

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.003

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.004

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.005

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.006

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.007

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.008

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.009

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.010

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.011

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.012

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.013

Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll)
File: d:\program\weernieuwespyware\infected\ap0.tmp.014

05-20-2005, 08:13 PM	#3 (permalink)
ggb Registered User Join Date: May 2005 Posts: 5 OS: Win XP	Thanks a lot! After following your instructions, it seems the Win Min problem has been solved, this is the analyzation Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 18:44:16, on 20-5-2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe D:\Program\Winamp3\Winampnew\winampa.exe D:\Program\weernieuwespyware\AVGNT.EXE C:\progra~1\mcafee\MCAFEE~1\MssCli.exe D:\My Downloads\Spyware Doctor\swdoctor.exe C:\Program Files\Casema SnelHelp\bin\mpbtn.exe D:\Program\weernieuwespyware\AVGUARD.EXE D:\Program\weernieuwespyware\AVWUPSRV.EXE c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe D:\Program\hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://klant.casema.nl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://klant.casema.nl/ O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\MYDOWN~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\MYDOWN~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [WinampAgent] D:\Program\Winamp3\Winampnew\winampa.exe O4 - HKLM\..\Run: [AVGCtrl] "D:\Program\weernieuwespyware\AVGNT.EXE" /min O4 - HKLM\..\Run: [THGuard] "D:\My Downloads\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe O4 - HKCU\..\Run: [Spyware Doctor] "D:\My Downloads\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: Casema SnelHelp.lnk = C:\Program Files\Casema SnelHelp\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program\Nieuwe map\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Program\NIEUWE~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\MYDOWN~1\SPYWAR~1\tools\iesdpb.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/...s/MsnPUpld.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/097fe471...p/RdxIE601.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\Program\weernieuwespyware\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Program\weernieuwespyware\AVWUPSRV.EXE O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe End of KRC HijackThis Analyzer Log. ==================================================================== Concerning the trojans, this is the result of TD53 This is the TD53 logfile 18:56:38 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 18:56:38 [Init] Started 20-05-05 18:56:38 West-Europa (standaardtijd) (UTC: -1), Internet Time @747,66 18:56:38 [Init] Loading TDS-3 Systems ... 18:56:38 [Init] Token successfully adjusted. 18:56:38 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 18:56:38 [Init] • Plugins : OK. Loaded 13 18:56:38 [Init] • Exec Protection : Not Installed 18:56:38 [Init] WARNING: Your Radius.TD3 database needs to be updated! 18:56:38 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 18:56:38 [Init] Licensed users can use the Update facility from the TDS menu 18:56:38 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 18:56:42 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 18:56:42 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 18:56:42 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 18:56:42 [Init] TDS-3 Ready. <Flo@83.83.36.133, 127.0.0.1 - Nederland> 18:56:42 [Tip Of The Day] When using the TCP Connect or UDP Broadcast utilities, you can access the full ASCII character set by typing $$char$$, for example: Hello$$13$$$$10$$ <- The $$13$$$$10$$ bit would be replaced with Chr$(13) and Chr$(10) (carriage return & line-feed respectively) 18:56:42 [TDS] Good evening Flo. What time do you finish work tonight? 18:56:45 [Mutex Memory Scan] Started... 18:56:46 [Mutex Memory Scan] Finished (no trojan mutexes found). 18:56:46 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 18:57:06 [CRC32] Started - verifying 29 files ... 18:57:07 [CRC32] File doesn't exist: C:\autoexec.bat 18:57:09 [CRC32] Test finished. 18:57:48 [Memory Scan] Memory scan started, please wait a moment ... 18:57:49 [Memory Scan] Memory scan complete. 18:57:49 [Mutex Memory Scan] Started... 18:57:51 [Mutex Memory Scan] Finished (no trojan mutexes found). 18:57:51 [Trace Scan] Started... 18:57:56 [Trace Scan] Finished. 18:57:56 [ServiceScan] Scanning for services and drivers ... 18:58:07 [Locked File] Couldn't open c:\windows\svcproc.exe for read access, file is locked 18:58:08 [ServiceScan] Scanned 274 services and drivers. 18:58:08 [File Scan] Scanning in A:\ ... 18:58:09 [File Scan] Scanned 0 files: 0 alarms in 1,1875 seconds (Avg 1, files/sec) 18:58:09 [File Scan] Scanning in C:\ ... 19:00:55 [Locked File] Couldn't open c:\windows\dstart51.exe for read access, file is locked 19:00:56 [Locked File] Couldn't open c:\windows\dstart52.exe for read access, file is locked 19:00:57 [Locked File] Couldn't open c:\windows\dstart61.exe for read access, file is locked 19:00:57 [Locked File] Couldn't open c:\windows\dstart62.exe for read access, file is locked 19:01:13 [Locked File] Couldn't open c:\windows\svcproc.exe for read access, file is locked 19:04:07 [Locked File] Couldn't open c:\windows\downloaded program files\f10213.exe for read access, file is locked 19:05:14 [Locked File] Couldn't open c:\windows\isrvs\edmond.exe for read access, file is locked 23:21:34 [TDS] Good evening Flo. 23:32:33 [File Scan] Scanned 19232 files: 2 alarms in 16462,23 seconds (Avg 2,17 files/sec) 23:32:35 [File Scan] Scanning in D:\ ... 23:58:02 [File Scan] Scanned 33941 files: 356 alarms in 1526,891 seconds (Avg 23,23 files/sec) 23:58:02 [File Scan] Scanning in E:\ ... 23:58:02 [File Scan] Scanned 0 files: 356 alarms in 0,015625 seconds (Avg 1, files/sec) 23:58:02 [File Scan] Scanning in F:\ ... 23:58:02 [File Scan] Scanned 0 files: 356 alarms in 0 seconds (Avg -1,#IND files/sec) 23:58:02 [Scan] Finished. The alarms are posted here: Scan Control Dumped @ 03:56:51 21-05-05 Suspicious Filename: HTA file in suspicious location File: c:\d25c119d.hta Positive identification: Pornware.Dialer.Star.e File: c:\windows\p2p[p2p-10116,de,1].exe Positive identification: Trojan.Win32.Likes File: d:\program\weernieuwespyware\infected\a0056788.exe.vir Positive identification: Trojan.Win32.Likes File: d:\program\weernieuwespyware\infected\a0056789.exe.vir Positive identification: Trojan.Win32.Likes File: d:\program\weernieuwespyware\infected\a0056790.exe.vir Positive identification: Trojan.Win32.Likes File: d:\program\weernieuwespyware\infected\a0056795.exe.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\a0056796.dll.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\a0056797.dll.vir Positive identification: Trojan.Win32.Likes File: d:\program\weernieuwespyware\infected\a0060514.exe.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\a0062515.dll.vir Positive identification: Trojan.Win32.Likes File: d:\program\weernieuwespyware\infected\a0062516.exe.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\a0062876.dll.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\a0063915.dll.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\a0063916.dll.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\a0063974.dll.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\a0063975.dll.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.002 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.003 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.004 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.005 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.006 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.007 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.008 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.009 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.010 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.011 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.012 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.013 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.014 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.015 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.016 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.017 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.018 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.019 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.020 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.021 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.022 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.023 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.024 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.025 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.026 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.027 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.028 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.029 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.030 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.bin.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.dll.002 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.dll.003 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.dll.004 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.dll.005 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.dll.006 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.dll.007 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.dll.008 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.dll.vir Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.002 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.003 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.004 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.005 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.006 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.007 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.008 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.009 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.010 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.011 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.012 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.013 Positive identification (embedded in file): Trojan.Win32.StartPage.ix1 (dll) File: d:\program\weernieuwespyware\infected\ap0.tmp.014