Thread: Yet Another Hijacking by Gold Antivirus
View Single Post
Old 07-15-2005, 08:49 PM   #3 (permalink)
JTyler
Registered User
 
JTyler's Avatar
 
Join Date: Jul 2005
Posts: 14
OS: win2000


Done with your suggestions... looking better already.
Friends;

I did it all . Panda seemed to find some problems still. But I see no problems so far. Here are the logs: Please tell me if more is needed. Thanks so much for the work thus far.

J.




Pre-run Files Present


~~~ Program Files ~~~

AntiVirusGold


~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

hookdump.exe


~~~ Windows directory ~~~

screen.html


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:04:03 PM, 7/5/2003
+ Report-Checksum: AC2CA55E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{13898BD6-0873-1991-8C89-C965424CDB1C} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1801674531-492894223-854245398-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
C:\Documents and Settings\Tyler1\Cookies\tyler1@www.sidefind[2].txt -> Spyware.Cookie.Sidefind : Cleaned with backup
C:\Documents and Settings\Tyler1\Local Settings\Temporary Internet Files\Content.IE5\ET07UPU1\fgxxx[1].jpg -> TrojanDownloader.Small.azk : Cleaned with backup
C:\Program Files\180searchassistant\sais.exe -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\180searchassistant\saishook.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\appsp32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\gds5.dll -> TrojanDownloader.Small.azf : Cleaned with backup
C:\WINNT\ieno32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\o456apcv.exe -> Adware.SAHA : Cleaned with backup
C:\WINNT\system32:uoaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINNT\system32\appuz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\ce5mko3e.exe -> Adware.SAHA : Cleaned with backup
C:\WINNT\system32\ojr85db0.dll -> Adware.SAHA : Cleaned with backup
C:\WINNT\system32\p4k1gd8m.exe -> Adware.SAHA : Cleaned with backup
C:\WINNT\_default.pif:cjvmek -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_default.pif:ihmcm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_default.pif:kidhkz -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:qhcxkz -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:xgjsp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\_default.pif:xgjspw -> TrojanDownloader.Agent.bc : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:55:26 PM, on 7/5/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINNT\System32\khooker.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\FaxTalk Communicator\FTCtrl32.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\FaxTalk Communicator\FAPIEXE.EXE
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Tyler1\My Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fnllm.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fnllm.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {7596F99E-D0E0-D10F-1786-8EB23DCDF3BD} - C:\WINNT\ieno32.dll (file missing)
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds5.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [ce5mko3e] C:\WINNT\System32\ce5mko3e.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [appsp32.exe] C:\WINNT\appsp32.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwe...s/vzWebIns.CAB
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appuz.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PC-cillin Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe



Incident Status Location

Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\TYLER1\FAVORITES\SHOP\Auctions.lnk
Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\TYLER1\FAVORITES\SITES ABOUT\Ab scissor.url
Adware:adware/ncase No disinfected C:\PROGRAM FILES\180searchassistant
Adware:adware/sahagent No disinfected C:\WINNT\SYSTEM32\SahImages
Adware:adware/powerscan No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\POWER SCAN
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\INTERNET OPTIMIZER
Spyware:spyware/istbar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ISTSVC
Adware:adware/sidefind No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{10E42047-DEB9-4535-A118-B3F6EC39B807}
Adware:adware/cws.aboutblank No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
Adware:adware/searchaid No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Tyler1\Local Settings\Temporary Internet Files\Content.IE5\IRMR2LMJ\avg[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Tyler1\Local Settings\Temporary Internet Files\Content.IE5\IRMR2LMJ\webservice[1].htm
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Tyler1\Local Settings\Temporary Internet Files\Content.IE5\SXC7GF87\dd[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Tyler1\Local Settings\Temporary Internet Files\Content.IE5\WXUNC52R\webservice[1].htm
Virus:Trj/Downloader.CVB Disinfected C:\ms32.tmp
Possible Virus. No disinfected C:\Program Files\SurfAccuracy\SAccU.exe
Adware:Adware/MediaTickets No disinfected C:\RECYCLER\S-1-5-21-1801674531-492894223-854245398-1000\Dc4\America Online 9.0c\download\3.dat
Adware:Adware/Startpage.JM No disinfected C:\RECYCLER\S-1-5-21-1801674531-492894223-854245398-1000\Dc4\America Online 9.0c\download\4.dat
JTyler is offline