Tech Support Forum - View Single Post - IE Hijack - precautionary post to avoid re-infection

Raeral · 04-18-2006, 03:46 PM

I have carried out all your required tasks The results are as follows.

Download Ewido Security Suite. - Done
You will need to update Ewido to the latest definition files. - Done

Download CleanUp! (Alternate Link if main link doesn't work) and install it. - Done

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.. - Done

Click Start->Run - type SERVICES.MSC ...Ndlmsb0cfs...then click on the OK button. - Done. Note that the service was set to manual and was already stopped. Note also that the service name was the same as Ndlmsb0cfs.

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the *Service Name you found in the General Tab for Ndlmsb0cfs. Click OK to allow reboot.. - Done

Next, please reboot your computer in Safe Mode . - Done

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.. - Done - well, actually, all already set as directed

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

O1 - Hosts: localhost 127.0.0.1 - Done
O4 - HKLM\..\Run: [dmakl.exe] C:\WINDOWS\system32\dmakl.exe - Not present
O23 - Service: Ndlmsb0cfs - Unknown owner - C:\WINDOWS\system32\FileOps.exe - Not present

Click 'Fix Checked' and close HijackThis. - Done

Delete the following Files if they still exist.

C:\WINDOWS\system32\dmakl.exe - Not present anywhere on C: or D:
C:\WINDOWS\system32\FileOps.exe - Done

Open Cleanup...Scan local drives for temporary files - Done

Run Ewido with it's updated definitions...Once finished, click the Save report button & save the report to your desktop - Done

Reboot into Normal Mode. - Done

Perform an online scan using Internet Explorer with Panda ActiveScan - Done

Ewido results
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 20:30:09, 18/04/2006
+ Report-Checksum: 35D43657

+ Scan result:

[204] VM_00D80000 -> Downloader.Agent.uj : Error during cleaning
[228] VM_00C00000 -> Downloader.Agent.uj : Error during cleaning
[860] VM_009E0000 -> Downloader.Agent.uj : Error during cleaning
[1148] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ads20.bpath[1].txt -> TrackingCookie.Bpath : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ads20.bpath[2].txt -> TrackingCookie.Bpath : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@com[3].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[3].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@orf.oewabox[1].txt -> TrackingCookie.Oewabox : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Program Files\TightVNC-unstable\VNCHooks.dll -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.1370 : Cleaned with backup
C:\Program Files\TightVNC-unstable\WinVNC.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.1370 : Cleaned with backup

::Report End

Panda results

Incident Status Location

Adware:adware/sbsoft Not disinfected C:\WINDOWS\rdt.ini
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt[]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@atwola[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[3].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[4].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@go[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[3].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[4].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@tucows[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@xiti[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@xiti[2].txt
Virus:W32/Netsky.AE.worm Disinfected Archive 2005\Personal Folders\Awaiting Archive\Undeliverable:Re: document_all\Re: document_all\document_hengul.zip.zip[data.rtf .scr]

New HijackThis log taken from Normal Mode
Logfile of HijackThis v1.99.1
Scan saved at 22:13:26, on 18/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.allakhazam.com
O15 - Trusted Zone: *.bbc.co.uk
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: http://www.std.com
O15 - Trusted Zone: *.wikipedia.org
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120738251782
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120738438070
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

04-18-2006, 03:46 PM	#7 (permalink)
Raeral Registered User Join Date: Apr 2006 Location: Cambridge, UK Posts: 15 OS: XP Pro SP2 My System	I have carried out all your required tasks The results are as follows. Download Ewido Security Suite. - Done You will need to update Ewido to the latest definition files. - Done Download CleanUp! (Alternate Link if main link doesn't work) and install it. - Done Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.. - Done Click Start->Run - type SERVICES.MSC ...Ndlmsb0cfs...then click on the OK button. - Done. Note that the service was set to manual and was already stopped. Note also that the service name was the same as Ndlmsb0cfs. Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in the Service Name you found in the General Tab for Ndlmsb0cfs. Click OK to allow reboot.. - Done Next, please reboot your computer in Safe Mode . - Done Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK.. - Done - well, actually, all already set as directed Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): O1 - Hosts: localhost 127.0.0.1 - Done O4 - HKLM\..\Run: [dmakl.exe] C:\WINDOWS\system32\dmakl.exe - Not present O23 - Service: Ndlmsb0cfs - Unknown owner - C:\WINDOWS\system32\FileOps.exe - Not present Click 'Fix Checked' and close HijackThis. - Done Delete the following Files if they still exist. C:\WINDOWS\system32\dmakl.exe - Not present anywhere on C: or D: C:\WINDOWS\system32\FileOps.exe - Done Open Cleanup...Scan local drives for temporary files - Done Run Ewido with it's updated definitions...Once finished, click the Save report button & save the report to your desktop - Done Reboot into Normal Mode. - Done Perform an online scan using Internet Explorer with Panda ActiveScan - Done Ewido results --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 20:30:09, 18/04/2006 + Report-Checksum: 35D43657 + Scan result: [204] VM_00D80000 -> Downloader.Agent.uj : Error during cleaning [228] VM_00C00000 -> Downloader.Agent.uj : Error during cleaning [860] VM_009E0000 -> Downloader.Agent.uj : Error during cleaning [1148] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning :mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup :mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup :mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup :mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup :mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup :mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup :mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup :mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ads20.bpath[1].txt -> TrackingCookie.Bpath : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ads20.bpath[2].txt -> TrackingCookie.Bpath : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@com[1].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@com[3].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[3].txt -> TrackingCookie.Masterstats : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@orf.oewabox[1].txt -> TrackingCookie.Oewabox : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup C:\Program Files\TightVNC-unstable\VNCHooks.dll -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.1370 : Cleaned with backup C:\Program Files\TightVNC-unstable\WinVNC.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.1370 : Cleaned with backup ::Report End Panda results Incident Status Location Adware:adware/sbsoft Not disinfected C:\WINDOWS\rdt.ini Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt[] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@atwola[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[2].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[3].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[4].txt Spyware:Cookie/go Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@go[2].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[1].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[2].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[3].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[4].txt Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@tucows[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@xiti[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@xiti[2].txt Virus:W32/Netsky.AE.worm Disinfected Archive 2005\Personal Folders\Awaiting Archive\Undeliverable:Re: document_all\Re: document_all\document_hengul.zip.zip[data.rtf .scr] New HijackThis log taken from Normal Mode Logfile of HijackThis v1.99.1 Scan saved at 22:13:26, on 18/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe C:\WINDOWS\System32\svchost.exe C:\HJT\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: .allakhazam.com O15 - Trusted Zone: .bbc.co.uk O15 - Trusted Zone: .google.co.uk O15 - Trusted Zone: .msn.com O15 - Trusted Zone: http://www.std.com O15 - Trusted Zone: .wikipedia.org O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120738251782 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120738438070 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing) __________________ Raeral Stay cool, stay connected* Last edited by Raeral; 04-18-2006 at 03:49 PM.