Thread: I thought I was clean.
View Single Post
Old 12-05-2005, 04:24 PM   #5 (permalink)
BadmoJoe
Registered User
 
Join Date: Nov 2005
Posts: 15
OS: XP


Back up and able to scan
Wow, what an ordeal that was. I was able to fix my "Windows cannot start..." error and finally carry out all of your instructions. Below are the logs requested.

I should mention that I ended up having to restore my system file from a restore point. I chose one from a couple of weeks ago and when I went to the HiJackThis step there was one entry that wasn't there anymore.
O4 - HKLM\..\Run:[KernelFaultCheck]... No longer was on the list so I couldn't delete it. On to the logs...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:18:49 PM, 12/05/2005
+ Report-Checksum: C61E1BB2

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Security -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Enum -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc\Security -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc\Enum -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-2538372485-908771968-2382075835-1007\Software\WinUpdt -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
C:\command.exe -> Dropper.Delf.ev : Cleaned with backup
C:\Program Files\Common Files\qfuz\qfuzd\qfuzc.dll -> Downloader.Small : Cleaned with backup
C:\Program Files\Hijackthis\backups\backup-20051205-131303-488.dll -> Trojan.Kolweb.f : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044070.exe -> Dropper.Agent.lu : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044378.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044379.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044402.exe -> Downloader.Lastad.r : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044464.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP395\A0049814.exe -> Dropper.Delf.ev : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061417.exe -> Spyware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061418.exe -> Spyware.BookedSpace.e : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061419.exe -> Downloader.VB.eu : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061421.exe -> Downloader.IstBar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061422.exe -> Downloader.Lastad.h : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061423.exe -> Downloader.Lastad.h : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061425.dll -> Spyware.Winsta : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061428.dll -> Trojan.Kolweb.f : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061429.exe -> Downloader.Lastad.r : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061430.dll -> Downloader.Lastad.r : Cleaned with backup
C:\WINDOWS\7r76.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI50.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASICLRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASICLV.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIEPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIEZ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIHD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIKAB.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIKAB2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIMBC.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIRCPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISS2RE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISSRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\bspace.html -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPC.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPF.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFAM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFI.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFIN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPG.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPHL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPJ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPMTV.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSHOP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPW.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WEBS1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WEBS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ZNETGP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx -> Dropper.Agent.or : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\EPXActiveX.ocx -> Downloader.Lastad.r : Cleaned with backup
C:\WINDOWS\SYSTEM32\7r76.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\SYSTEM32\epx30106.exe -> Downloader.Lastad.r : Cleaned with backup
C:\WINDOWS\SYSTEM32\ginu.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\SYSTEM32\huno3.exe -> Trojan.Kolweb.g : Cleaned with backup


::Report End

ACTIVESCAN LOG BEGIN


Incident Status Location

Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\data.~
Adware:adware/portalscan Not disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/addestroyer Not disinfected C:\Documents and Settings\Lauren Kelley\Start Menu\Programs\AdDestroyer
Adware:adware/fizzle Not disinfected C:\PROGRAM FILES\FwBarTemp
Adware:adware/searchforit Not disinfected C:\PROGRAM FILES\sf
Adware:adware/oemji Not disinfected C:\PROGRAM FILES\COMMON FILES\Oem Common
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:Adware/SearchTheWeb Not disinfected C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-2a5405f2.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-55d73068.zip[A.class]
Adware:Adware/Winstat Not disinfected C:\Program Files\Hijackthis\backups\backup-20051108-142917-299.dll
Adware:Adware/Neededware Not disinfected C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\msshed32.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll END ACTIVESCAN LOG

Logfile of HijackThis v1.99.1
Scan saved at 1:08:14 PM, on 12/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\6n9c.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [zgbpfp] C:\WINDOWS\System32\zgbpfp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\RunOnce: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe /k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: NDWCab -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
BadmoJoe is offline