Tech Support Forum - View Single Post - Where do I go to fix problems before my computer is dead.

buddycraigg · 11-30-2005, 01:53 AM

Thank you both skate_punk_21and Ried for your response and your assistance.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The machine.

It’s a pretty old home built PC but it works for my needs.
Windows 2000 pro SP4
All updates are current.

I have this software for free from my ISP
Made by this company http://www.ca.com/
eTrust PestPatrol
eTrust EZ Antivirus
eTrust Personal Firewall

I have installed and ran the latest versions of
Spybot S&D
Ad Aware SE

I have ran the online virus scanner from
http://www.kaspersky.com/virusscanner
and
http://www.pandasoftware.com/products/activescan.htm

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The problem.

my PC is running as it always has, but I discovered that I had some viruses thanks to the suggestions I found on this forum.
I use this PC for my banking, bill paying, and various other personal needs and want it to be safe.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
My logs. Hijackthis, panda, and kaspersky in that order.

Hijackthis.
Logfile of HijackThis v1.99.1
Scan saved at 2:39:36 AM, on 11/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex...edia/Swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/p...n/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1124416697379
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124411355883
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/Insta...ve/TP_live.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93D6A0F2-013D-4F6F-A325-6D09DCB5F196}: NameServer = 24.94.163.114,24.94.163.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E3492F-1A47-4D6B-9143-C8F500EAB08B}: NameServer = 24.94.163.114,24.94.163.113
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Panda

Incident Status Location

Adware:adware/keenvalue Not disinfected C:\WINNT\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/statblaster Not disinfected Windows Registry
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip[InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip[InstallerApplet.class]

Kaspersky
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 30, 2005 02:31:56
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/11/2005
Kaspersky Anti-Virus database records: 152455
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 58570
Number of viruses found: 9
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 5954 sec

Infected Object Name - Virus Name
C:\WINNT\system32\TMLib.dll Infected: Trojan-Spy.Win32.AdvancedKeyLogger.17
C:\Documents and Settings\Administrator\Local Settings\Temp\all_files7.exe/data0006 Infected: Trojan-Downloader.Win32.QDown.b
C:\Documents and Settings\Administrator\Local Settings\Temp\all_files7.exe Infected: Trojan-Downloader.Win32.QDown.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Sat, 09 Apr 2005 19:03:06 -0700]/UNNAMED/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Sat, 09 Apr 2005 19:03:06 -0700]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Sat, 09 Apr 2005 19:03:06 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 15 Oct 2005 08:52:02 -0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 15 Oct 2005 08:52:02 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 22 Oct 2005 10:31:28 +0500]/html Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 05 Nov 2005 09:49:49 -0700]/html Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 16:34:27 -0400]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 16:34:27 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 23:13:33 +0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 23:13:33 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Deleted Items.dbx/[From "update@paypal.com" <update@paypal.com>][Date Thu, 15 Sep 2005 22:18:29 +0000]/html Infected: Trojan-Spy.HTML.Paylap.by
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Paylap.by
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CitiBank <supprefnum13@citibank.com>][Date Sat, 02 Oct 2004 18:14:18 +0100]/html Infected: Trojan-Spy.HTML.Citifraud.ai
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CITIBANK <antifraud_dep.id.num384730950992@citibank.com>][Date Tue, 19 Oct 2004 13:58:35 +0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.bc
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CITIBANK <antifraud_dep.id.num384730950992@citibank.com>][Date Tue, 19 Oct 2004 13:58:35 +0500]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.bc
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Citifraud.bc
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx/[From MAILER-DAEMON <MAILER-DAEMON@kc.rr.com>][Date Mon, 26 Jul 2004 11:50:37 -0500]/UNNAMED/kcfog@kc.rr.com Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx/[From MAILER-DAEMON <MAILER-DAEMON@kc.rr.com>][Date Mon, 26 Jul 2004 11:50:37 -0500]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip Infected: Trojan-Downloader.Java.OpenStream.w

Scan process completed.

11-30-2005, 01:53 AM	#4 (permalink)
buddycraigg Registered User Join Date: Nov 2005 Posts: 82 OS: 2000 98	Thank you both skate_punk_21and Ried for your response and your assistance. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The machine. It’s a pretty old home built PC but it works for my needs. Windows 2000 pro SP4 All updates are current. I have this software for free from my ISP Made by this company http://www.ca.com/ eTrust PestPatrol eTrust EZ Antivirus eTrust Personal Firewall I have installed and ran the latest versions of Spybot S&D Ad Aware SE I have ran the online virus scanner from http://www.kaspersky.com/virusscanner and http://www.pandasoftware.com/products/activescan.htm ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The problem. my PC is running as it always has, but I discovered that I had some viruses thanks to the suggestions I found on this forum. I use this PC for my banking, bill paying, and various other personal needs and want it to be safe. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ My logs. Hijackthis, panda, and kaspersky in that order. Hijackthis. Logfile of HijackThis v1.99.1 Scan saved at 2:39:36 AM, on 11/30/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex...edia/Swdir.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/p...n/pestscan.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1124416697379 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124411355883 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/Insta...ve/TP_live.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{93D6A0F2-013D-4F6F-A325-6D09DCB5F196}: NameServer = 24.94.163.114,24.94.163.113 O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E3492F-1A47-4D6B-9143-C8F500EAB08B}: NameServer = 24.94.163.114,24.94.163.113 O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) Panda Incident Status Location Adware:adware/keenvalue Not disinfected C:\WINNT\SYSTEM32\DRIVERS\ETC\hosts.bho Adware:adware/statblaster Not disinfected Windows Registry Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip[InstallerApplet.class] Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip[InstallerApplet.class] Kaspersky ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, November 30, 2005 02:31:56 Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 30/11/2005 Kaspersky Anti-Virus database records: 152455 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 58570 Number of viruses found: 9 Number of infected objects: 28 Number of suspicious objects: 0 Duration of the scan process: 5954 sec Infected Object Name - Virus Name C:\WINNT\system32\TMLib.dll Infected: Trojan-Spy.Win32.AdvancedKeyLogger.17 C:\Documents and Settings\Administrator\Local Settings\Temp\all_files7.exe/data0006 Infected: Trojan-Downloader.Win32.QDown.b C:\Documents and Settings\Administrator\Local Settings\Temp\all_files7.exe Infected: Trojan-Downloader.Win32.QDown.b C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Sat, 09 Apr 2005 19:03:06 -0700]/UNNAMED/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Sat, 09 Apr 2005 19:03:06 -0700]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Sat, 09 Apr 2005 19:03:06 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 15 Oct 2005 08:52:02 -0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 15 Oct 2005 08:52:02 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 22 Oct 2005 10:31:28 +0500]/html Infected: Trojan-Spy.HTML.Paylap.ev C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 05 Nov 2005 09:49:49 -0700]/html Infected: Trojan-Spy.HTML.Paylap.ev C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 16:34:27 -0400]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 16:34:27 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 23:13:33 +0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 23:13:33 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Paylap.ev C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Deleted Items.dbx/[From "update@paypal.com" <update@paypal.com>][Date Thu, 15 Sep 2005 22:18:29 +0000]/html Infected: Trojan-Spy.HTML.Paylap.by C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Paylap.by C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CitiBank <supprefnum13@citibank.com>][Date Sat, 02 Oct 2004 18:14:18 +0100]/html Infected: Trojan-Spy.HTML.Citifraud.ai C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CITIBANK <antifraud_dep.id.num384730950992@citibank.com>][Date Tue, 19 Oct 2004 13:58:35 +0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.bc C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CITIBANK <antifraud_dep.id.num384730950992@citibank.com>][Date Tue, 19 Oct 2004 13:58:35 +0500]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.bc C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Citifraud.bc C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx/[From MAILER-DAEMON <MAILER-DAEMON@kc.rr.com>][Date Mon, 26 Jul 2004 11:50:37 -0500]/UNNAMED/kcfog@kc.rr.com Infected: Email-Worm.Win32.Mydoom.m C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx/[From MAILER-DAEMON <MAILER-DAEMON@kc.rr.com>][Date Mon, 26 Jul 2004 11:50:37 -0500]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Mydoom.m C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip Infected: Trojan-Downloader.Java.OpenStream.w C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip Infected: Trojan-Downloader.Java.OpenStream.w Scan process completed.