Thread: IE Windows opening uncontrollably
View Single Post
Old 02-26-2006, 04:13 PM   #9 (permalink)
markmcgregor
Registered User
 
Join Date: Feb 2006
Posts: 18
OS: XP Professional


Here we go again!
OK, I wouldn't have believed it if I didn't see it myself, but Kaspersky found 15 viruses. Here are the three logs and I'll await further instructions:

Logfile of HijackThis v1.99.1
Scan saved at 6:08:27 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ltcm000c.exe
C:\WINDOWS\system32\tp4mon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ViRobotXP\Vrres.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/re...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1125063593020
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125063568815
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.com/egather/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/acces...tent/AcpIR.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, February 26, 2006 17:51:41
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/02/2006
Kaspersky Anti-Virus database records: 178818
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 37860
Number of viruses found: 15
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 4945 sec

Infected Object Name - Virus Name
C:\Data\Downloads\BSINSTALL.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.CommonName.p
C:\Data\Downloads\BSINSTALL.exe/WISE0037.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\Data\Downloads\BSINSTALL.exe/WISE0038.BIN/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ak
C:\Data\Downloads\BSINSTALL.exe/WISE0038.BIN/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aw
C:\Data\Downloads\BSINSTALL.exe/WISE0038.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.aw
C:\Data\Downloads\BSINSTALL.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aw
C:\Data\Downloads\ftp\ctp2000_setup.exe/tsad.dll Infected: not-a-virus:AdWare.Win32.TimeSinc
C:\Data\Downloads\ftp\ctp2000_setup.exe/TSAdBot.exe Infected: not-a-virus:AdWare.Win32.TimeSink
C:\Data\Downloads\ftp\ctp2000_setup.exe Infected: not-a-virus:AdWare.Win32.TimeSink
C:\Data\Downloads\imeshv3.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.F1Organizer.k
C:\Data\Downloads\imeshv3.exe/WISE0022.BIN Infected: not-a-virus:AdWare.Win32.Hotbar.aq
C:\Data\Downloads\imeshv3.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.CommonName.p
C:\Data\Downloads\imeshv3.exe/WISE0026.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor
C:\Data\Downloads\imeshv3.exe/WISE0026.BIN/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor
C:\Data\Downloads\imeshv3.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.Cydoor
C:\Data\Downloads\imeshv3.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.EZula.d
C:\Data\Downloads\imeshv3.exe/WISE0029.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\Data\Downloads\imeshv3.exe/WISE0030.BIN Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\Data\Downloads\imeshv3.exe Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\Data\Keepers\theboss.exe/data0001/regwebh.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16
C:\Data\Keepers\theboss.exe/data0001/wbhshare.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16
C:\Data\Keepers\theboss.exe/data0001/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16
C:\Data\Keepers\theboss.exe/data0001/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.16
C:\Data\Keepers\theboss.exe/data0001/whiedc.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16
C:\Data\Keepers\theboss.exe/data0001/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16
C:\Data\Keepers\theboss.exe/data0001/whieshm.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16
C:\Data\Keepers\theboss.exe/data0001/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.16
C:\Data\Keepers\theboss.exe/data0001 Infected: not-a-virus:AdWare.Win32.WebHancer.16
C:\Data\Keepers\theboss.exe Infected: not-a-virus:AdWare.Win32.WebHancer.16
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-455277fe-4d8bc4c9.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-455277fe-4d8bc4c9.zip/VB.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-455277fe-4d8bc4c9.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-455277fe-4d8bc4c9.zip Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/20 Feb 2006 17:17 to 'hauri98@hauri.co.kr':Virus Report/nanieoa.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/20 Feb 2006 17:53 to 'hauri98@hauri.co.kr':Virus Report/nanieoa.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Downloader.Win32.Qoologic.az

Scan process completed.


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:15:04 PM, 2/26/2006
+ Report-Checksum: 2F229991

+ Scan result:

HKU\S-1-5-21-1993962763-813497703-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1993962763-813497703-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1993962763-813497703-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1993962763-813497703-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} -> Adware.SecureServicePack : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-48b99283-47d764a7.zip/NudeBox.class -> Trojan.ClassLoader.u : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-48b99283-47d764a7.zip/VerifierBug.class -> Trojan.ClassLoader.u : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-48b99283-47d764a7.zip/Worker.class -> Trojan.ClassLoader.u : Cleaned with backup
C:\Program Files\Jalmp\jalmp.dll -> Adware.Suggestor : Cleaned with backup
C:\Program Files\Jalmp\uninstall.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\drivers\sysbus32.sys -> Not-A-Virus.SpamTool.Win32.Mailbot.aq : Cleaned with backup


::Report End
markmcgregor is offline