Tech Support Forum - View Single Post - HJT log....a few things still hanging on :(

bigjohn · 07-15-2005, 11:59 AM

Booting up a lot faster now...again, thanks so far.

1. HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 1:47:15 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\MsiExec.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [appac.exe] C:\WINDOWS\system32\appac.exe
O4 - HKLM\..\Run: [sysok.exe] C:\WINDOWS\sysok.exe
O4 - HKLM\..\Run: [apprt.exe] C:\WINDOWS\apprt.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

2. Online scans:

Not sure if the Kaspersky scan deleted disinfected anything or not. The log file is huge-- here is a portion of it (if I need to post the whole thing let me know).

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 112384
Number of viruses found: 9
Number of infected objects: 14485
Number of suspicious objects: 2
Duration of the scan process: 4444 sec

Infected Object Name - Virus Name
C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-51d84901.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-51d84901.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-51d84901.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-51d84901.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-51d84901.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/10 May 2005 21:01 from Mail Delivery System:Mail delivery failed.eml/[From Webmaster@johnthompsonjr.com][Date Tue, 10 May 2005 16:59:56 -0400]/UNNAMED/email-doc.pif Infected: Net-Worm.Win32.Mytob.au
C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/10 May 2005 21:01 from Mail Delivery System:Mail delivery failed.eml/[From Webmaster@johnthompsonjr.com][Date Tue, 10 May 2005 16:59:56 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.au
C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/10 May 2005 21:01 from Mail Delivery System:Mail delivery failed.eml Infected: Net-Worm.Win32.Mytob.au
C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/19 Apr 2004 12:44 to 'Old North State Apiaries':RE: Mail Deliver.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/20 Apr 2004 13:10 to 'Old North State Apiaries':RE: Mail Deliver.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Exploit.HTML.Iframe.FileDownload
C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:aafyu:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:aaocu:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:achpe:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:acqgo:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:actik:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:adbeb:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:adebb:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:aduaq:$DATA Infected: Trojan-Downloader.Win32.Agent.bq

3. About Buster's Log

AboutBuster 5.0 reference file 28
Scan started on [7/14/2005] at [9:50:32 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:bztdhe
------------------------------------------------
Removed File! : C:\Windows\duehu.dat
Removed File! : C:\Windows\idzmc.dat
Removed File! : C:\Windows\ijmii.dll
Removed File! : C:\Windows\iultz.dll
Removed File! : C:\Windows\jyqxt.dat
Removed File! : C:\Windows\kgdkx.dll
Removed File! : C:\Windows\oqtqd.dat
Removed File! : C:\Windows\pomfj.dat
Removed File! : C:\Windows\tbijr.dat
Removed File! : C:\Windows\txvun.dll
Removed File! : C:\Windows\udeqa.dll
Removed File! : C:\Windows\wustj.dat
Removed File! : C:\Windows\System32\esrxi.dll
Removed File! : C:\Windows\System32\hhnfg.dat
Removed File! : C:\Windows\System32\ixysh.dat
Removed File! : C:\Windows\System32\ketmc.dat
Removed File! : C:\Windows\System32\odnpw.dat
Removed File! : C:\Windows\System32\olsne.dat
Removed File! : C:\Windows\System32\peslc.dll
Removed File! : C:\Windows\System32\rldfc.dll
Removed File! : C:\Windows\System32\rwxif.dat
Removed File! : C:\Windows\System32\tjrrg.dat
Removed File! : C:\Windows\System32\yjscf.dll
Removed File! : C:\Windows\System32\ztips.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:55:11 PM

4. TDS-3 Log

23:18:54 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
23:18:54 [Init] Started 14-07-05 23:18:54 Eastern Standard Time (UTC: 5), Internet Time @1179.79
23:18:54 [Init] Loading TDS-3 Systems ...
23:18:54 [Init] Token successfully adjusted.
23:18:54 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
23:18:54 [Init] • Plugins : OK. Loaded 13
23:18:54 [Init] • Exec Protection : Not Installed
23:18:54 [Init] WARNING: Your Radius.TD3 database needs to be updated!
23:18:54 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
23:18:54 [Init] Licensed users can use the Update facility from the TDS menu
23:18:54 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
23:19:09 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
23:19:09 [Init] • Systems Initialised [60540 references - 32393 primaries/15825 traces/12322 variants/other]
23:19:09 [Init] Radius Systems loaded. <Databases updated 14-07-2005>
23:19:09 [Init] TDS-3 Ready. <Jthomps@127.0.0.1 - United States>
23:19:09 [Tip Of The Day] Shopping for DiamondCS services and software is easy! Simply visit http://www.diamondcs.com.au/shop.php
23:19:09 [TDS] Good evening Jthomps.
23:19:13 [Mutex Memory Scan] Started...
23:19:15 [Mutex Memory Scan] Finished (no trojan mutexes found).
23:19:15 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
23:19:28 [CRC32] Started - verifying 29 files ...
23:19:42 [CRC32] Test finished.
23:20:01 [Memory Scan] Memory scan started, please wait a moment ...
23:20:02 [Memory Scan] Memory scan complete.
23:20:02 [Mutex Memory Scan] Started...
23:20:03 [Mutex Memory Scan] Finished (no trojan mutexes found).
23:20:03 [Trace Scan] Started...
23:20:11 [Trace Scan] Finished.
23:20:11 [ServiceScan] Scanning for services and drivers ...
23:20:17 [ServiceScan] Scanned 329 services and drivers.
23:20:17 [File Scan] Scanning in A:\ ...
23:20:18 [File Scan] Scanned 0 files: 0 alarms in 1.054688 seconds (Avg 1. files/sec)
23:20:18 [File Scan] Scanning in C:\ ...
00:52:10 [File Scan] Scanned 107705 files: 2 alarms in -80888.63 seconds (Avg -.33 files/sec)
00:52:10 [File Scan] Scanning in D:\ ...
00:58:20 [File Scan] Scanned 1859 files: 2 alarms in 370.4531 seconds (Avg 6.02 files/sec)
00:58:20 [File Scan] Scanning in E:\ ...
00:58:20 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
00:58:20 [File Scan] Scanning in F:\ ...
00:58:20 [File Scan] Scanned 0 files: 2 alarms in 1.000977E-02 seconds (Avg 1. files/sec)
00:58:20 [File Scan] Scanning in G:\ ...
00:58:20 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
00:58:20 [Scan] Finished.
08:59:34 [CRC32] Started - verifying 29 files ...
08:59:48 [CRC32] Test finished.
09:00:07 [Memory Scan] Memory scan started, please wait a moment ...
09:00:07 [Memory Scan] Memory scan complete.
09:00:07 [Mutex Memory Scan] Started...
09:00:09 [Mutex Memory Scan] Finished (no trojan mutexes found).
09:00:09 [Trace Scan] Started...
09:00:17 [Trace Scan] Finished.
09:00:17 [ServiceScan] Scanning for services and drivers ...
09:00:23 [ServiceScan] Scanned 329 services and drivers.
09:00:23 [File Scan] Scanning in A:\ ...
09:00:24 [File Scan] Scanned 0 files: 0 alarms in 1.041016 seconds (Avg 1. files/sec)
09:00:24 [File Scan] Scanning in C:\ ...
10:31:30 [File Scan] Scanned 107704 files: 0 alarms in 5465.379 seconds (Avg 20.71 files/sec)
10:31:30 [File Scan] Scanning in D:\ ...
10:37:39 [File Scan] Scanned 1859 files: 0 alarms in 368.832 seconds (Avg 6.04 files/sec)
10:37:39 [File Scan] Scanning in E:\ ...
10:37:39 [File Scan] Scanned 0 files: 0 alarms in 1.171875E-02 seconds (Avg 1. files/sec)
10:37:39 [File Scan] Scanning in F:\ ...
10:37:39 [File Scan] Scanned 0 files: 0 alarms in 0.0078125 seconds (Avg 1. files/sec)
10:37:39 [File Scan] Scanning in G:\ ...
10:37:39 [File Scan] Scanned 0 files: 0 alarms in 0 seconds (Avg -1.#IND files/sec)
10:37:39 [Scan] Finished.

5. Backdoor.Agent.B Removal Tool

No infection found

6. Ewido Log (see next post)

Thanks so much for the help.

07-15-2005, 11:59 AM	#9 (permalink)
bigjohn Registered User Join Date: Sep 2004 Posts: 11 OS: XP Professional	getting there...i think Booting up a lot faster now...again, thanks so far. 1. HJT Log Logfile of HijackThis v1.99.1 Scan saved at 1:47:15 PM, on 7/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\sistray.EXE C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\dpmw32.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\NWTRAY.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DLink\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\HijackThis\HijackThis.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\WINDOWS\system32\MsiExec.exe O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [appac.exe] C:\WINDOWS\system32\appac.exe O4 - HKLM\..\Run: [sysok.exe] C:\WINDOWS\sysok.exe O4 - HKLM\..\Run: [apprt.exe] C:\WINDOWS\apprt.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe 2. Online scans: Not sure if the Kaspersky scan deleted disinfected anything or not. The log file is huge-- here is a portion of it (if I need to post the whole thing let me know). Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 112384 Number of viruses found: 9 Number of infected objects: 14485 Number of suspicious objects: 2 Duration of the scan process: 4444 sec Infected Object Name - Virus Name C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-51d84901.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-51d84901.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-51d84901.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-51d84901.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-51d84901.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/10 May 2005 21:01 from Mail Delivery System:Mail delivery failed.eml/[From Webmaster@johnthompsonjr.com][Date Tue, 10 May 2005 16:59:56 -0400]/UNNAMED/email-doc.pif Infected: Net-Worm.Win32.Mytob.au C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/10 May 2005 21:01 from Mail Delivery System:Mail delivery failed.eml/[From Webmaster@johnthompsonjr.com][Date Tue, 10 May 2005 16:59:56 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.au C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/10 May 2005 21:01 from Mail Delivery System:Mail delivery failed.eml Infected: Net-Worm.Win32.Mytob.au C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/19 Apr 2004 12:44 to 'Old North State Apiaries':RE: Mail Deliver.rtf Suspicious: Exploit.HTML.Iframe.FileDownload C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/20 Apr 2004 13:10 to 'Old North State Apiaries':RE: Mail Deliver.rtf Suspicious: Exploit.HTML.Iframe.FileDownload C:\Documents and Settings\jthomps\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Exploit.HTML.Iframe.FileDownload C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:aafyu:$DATA Infected: Trojan-Downloader.Win32.Agent.bq C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:aaocu:$DATA Infected: Trojan-Downloader.Win32.Agent.bq C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:achpe:$DATA Infected: Trojan-Downloader.Win32.Agent.bq C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:acqgo:$DATA Infected: Trojan-Downloader.Win32.Agent.bq C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:actik:$DATA Infected: Trojan-Downloader.Win32.Agent.bq C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:adbeb:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:adebb:$DATA Infected: Trojan-Downloader.Win32.Agent.bq C:\System Volume Information\_restore{8BE5DB73-D7BE-4265-BEE7-58A995099902}\RP1\A0000001.pif:aduaq:$DATA Infected: Trojan-Downloader.Win32.Agent.bq 3. About Buster's Log AboutBuster 5.0 reference file 28 Scan started on [7/14/2005] at [9:50:32 PM] ------------------------------------------------ Removed Stream! C:\WINDOWS\_default.pif:bztdhe ------------------------------------------------ Removed File! : C:\Windows\duehu.dat Removed File! : C:\Windows\idzmc.dat Removed File! : C:\Windows\ijmii.dll Removed File! : C:\Windows\iultz.dll Removed File! : C:\Windows\jyqxt.dat Removed File! : C:\Windows\kgdkx.dll Removed File! : C:\Windows\oqtqd.dat Removed File! : C:\Windows\pomfj.dat Removed File! : C:\Windows\tbijr.dat Removed File! : C:\Windows\txvun.dll Removed File! : C:\Windows\udeqa.dll Removed File! : C:\Windows\wustj.dat Removed File! : C:\Windows\System32\esrxi.dll Removed File! : C:\Windows\System32\hhnfg.dat Removed File! : C:\Windows\System32\ixysh.dat Removed File! : C:\Windows\System32\ketmc.dat Removed File! : C:\Windows\System32\odnpw.dat Removed File! : C:\Windows\System32\olsne.dat Removed File! : C:\Windows\System32\peslc.dll Removed File! : C:\Windows\System32\rldfc.dll Removed File! : C:\Windows\System32\rwxif.dat Removed File! : C:\Windows\System32\tjrrg.dat Removed File! : C:\Windows\System32\yjscf.dll Removed File! : C:\Windows\System32\ztips.dll ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 9:55:11 PM 4. TDS-3 Log 23:18:54 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 23:18:54 [Init] Started 14-07-05 23:18:54 Eastern Standard Time (UTC: 5), Internet Time @1179.79 23:18:54 [Init] Loading TDS-3 Systems ... 23:18:54 [Init] Token successfully adjusted. 23:18:54 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 23:18:54 [Init] • Plugins : OK. Loaded 13 23:18:54 [Init] • Exec Protection : Not Installed 23:18:54 [Init] WARNING: Your Radius.TD3 database needs to be updated! 23:18:54 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 23:18:54 [Init] Licensed users can use the Update facility from the TDS menu 23:18:54 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 23:19:09 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 23:19:09 [Init] • Systems Initialised [60540 references - 32393 primaries/15825 traces/12322 variants/other] 23:19:09 [Init] Radius Systems loaded. <Databases updated 14-07-2005> 23:19:09 [Init] TDS-3 Ready. <Jthomps@127.0.0.1 - United States> 23:19:09 [Tip Of The Day] Shopping for DiamondCS services and software is easy! Simply visit http://www.diamondcs.com.au/shop.php 23:19:09 [TDS] Good evening Jthomps. 23:19:13 [Mutex Memory Scan] Started... 23:19:15 [Mutex Memory Scan] Finished (no trojan mutexes found). 23:19:15 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 23:19:28 [CRC32] Started - verifying 29 files ... 23:19:42 [CRC32] Test finished. 23:20:01 [Memory Scan] Memory scan started, please wait a moment ... 23:20:02 [Memory Scan] Memory scan complete. 23:20:02 [Mutex Memory Scan] Started... 23:20:03 [Mutex Memory Scan] Finished (no trojan mutexes found). 23:20:03 [Trace Scan] Started... 23:20:11 [Trace Scan] Finished. 23:20:11 [ServiceScan] Scanning for services and drivers ... 23:20:17 [ServiceScan] Scanned 329 services and drivers. 23:20:17 [File Scan] Scanning in A:\ ... 23:20:18 [File Scan] Scanned 0 files: 0 alarms in 1.054688 seconds (Avg 1. files/sec) 23:20:18 [File Scan] Scanning in C:\ ... 00:52:10 [File Scan] Scanned 107705 files: 2 alarms in -80888.63 seconds (Avg -.33 files/sec) 00:52:10 [File Scan] Scanning in D:\ ... 00:58:20 [File Scan] Scanned 1859 files: 2 alarms in 370.4531 seconds (Avg 6.02 files/sec) 00:58:20 [File Scan] Scanning in E:\ ... 00:58:20 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec) 00:58:20 [File Scan] Scanning in F:\ ... 00:58:20 [File Scan] Scanned 0 files: 2 alarms in 1.000977E-02 seconds (Avg 1. files/sec) 00:58:20 [File Scan] Scanning in G:\ ... 00:58:20 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec) 00:58:20 [Scan] Finished. 08:59:34 [CRC32] Started - verifying 29 files ... 08:59:48 [CRC32] Test finished. 09:00:07 [Memory Scan] Memory scan started, please wait a moment ... 09:00:07 [Memory Scan] Memory scan complete. 09:00:07 [Mutex Memory Scan] Started... 09:00:09 [Mutex Memory Scan] Finished (no trojan mutexes found). 09:00:09 [Trace Scan] Started... 09:00:17 [Trace Scan] Finished. 09:00:17 [ServiceScan] Scanning for services and drivers ... 09:00:23 [ServiceScan] Scanned 329 services and drivers. 09:00:23 [File Scan] Scanning in A:\ ... 09:00:24 [File Scan] Scanned 0 files: 0 alarms in 1.041016 seconds (Avg 1. files/sec) 09:00:24 [File Scan] Scanning in C:\ ... 10:31:30 [File Scan] Scanned 107704 files: 0 alarms in 5465.379 seconds (Avg 20.71 files/sec) 10:31:30 [File Scan] Scanning in D:\ ... 10:37:39 [File Scan] Scanned 1859 files: 0 alarms in 368.832 seconds (Avg 6.04 files/sec) 10:37:39 [File Scan] Scanning in E:\ ... 10:37:39 [File Scan] Scanned 0 files: 0 alarms in 1.171875E-02 seconds (Avg 1. files/sec) 10:37:39 [File Scan] Scanning in F:\ ... 10:37:39 [File Scan] Scanned 0 files: 0 alarms in 0.0078125 seconds (Avg 1. files/sec) 10:37:39 [File Scan] Scanning in G:\ ... 10:37:39 [File Scan] Scanned 0 files: 0 alarms in 0 seconds (Avg -1.#IND files/sec) 10:37:39 [Scan] Finished. 5. Backdoor.Agent.B Removal Tool No infection found 6. Ewido Log (see next post) Thanks so much for the help.