i didnt realize i had so much c*** on my computer i mean i know hte net is rittled with the c*** but i figured if i rutenly scanned wit nortan adware n spybot it would be fine. i thought i knew quite a bit about removing unwanted things. being A+ Certified doesnt help me much with removing this c*** . man it sux . ok n e ways here is the TDS-3 scan and alarms :
18:27:01 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
18:27:01 [Init] Started 20-01-05 18:27:01 Eastern Standard Time (UTC: 5), Internet Time @1018.76
18:27:01 [Init] Loading TDS-3 Systems ...
18:27:01 [Init] Token successfully adjusted.
18:27:01 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
18:27:02 [Init] • Plugins : OK. Loaded 13
18:27:02 [Init] • Exec Protection : Not Installed
18:27:02 [Init] WARNING: Your Radius.TD3 database needs to be updated!
18:27:02 [Init] Please download the latest from
http://tds.diamondcs.com.au/radius.td3
18:27:02 [Init] Licensed users can use the Update facility from the TDS menu
18:27:02 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
18:27:10 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
18:27:10 [Init] • Systems Initialised [44882 references - 20956 primaries/11789 traces/12137 variants/other]
18:27:10 [Init] Radius Systems loaded. <Databases updated 20-01-2005>
18:27:10 [Init] TDS-3 Ready. <Administrator@24.229.168.126, 127.0.0.1 - United States>
18:27:10 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system to detect NTFS Streams! You can even remove trojans when found in a stream, without damaging the parent file. See the help file for more information.
18:27:10 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
18:27:10 [TDS] Good evening Administrator. Time to stop working!
18:27:14 [Mutex Memory Scan] Started...
18:27:16 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:27:16 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
18:27:33 [CRC32] Started - verifying 29 files ...
18:27:33 [CRC32] File doesn't exist: C:\autoexec.bat
18:27:37 [CRC32] Test finished.
18:29:26 [Memory Scan] Memory scan started, please wait a moment ...
18:29:27 [Memory Scan] Memory scan complete.
18:29:27 [Mutex Memory Scan] Started...
18:29:28 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:29:28 [Trace Scan] Started...
18:29:40 [Trace Scan] Finished.
18:29:40 [ServiceScan] Scanning for services and drivers ...
18:29:46 [ServiceScan] Scanned 302 services and drivers.
18:29:46 [File Scan] Scanning in A:\ ...
18:29:47 [File Scan] Scanned 0 files: 0 alarms in 1.023438 seconds (Avg 1. files/sec)
18:29:47 [File Scan] Scanning in C:\ ...
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\accwiz.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\hh.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\locator.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\magnify.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\migwiz.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\narrator.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntkrnlpa.exe for read access, file is locked
19:08:35 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntoskrnl.exe for read access, file is locked
19:08:35 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\osk.exe for read access, file is locked
19:08:36 [Locked File] Couldn't open c:\windows\$ntuninstallkb828741$\comrepl.exe for read access, file is locked
19:08:36 [Locked File] Couldn't open c:\windows\$ntuninstallkb828741$\migregdb.exe for read access, file is locked
19:22:42 [File Scan] Scanned 73424 files: 23 alarms in 3175.648 seconds (Avg 24.12 files/sec)
19:22:42 [File Scan] Scanning in D:\ ...
19:22:42 [File Scan] Scanned 0 files: 23 alarms in 0 seconds (Avg -1.#IND files/sec)
19:22:42 [File Scan] Scanning in E:\ ...
19:22:42 [File Scan] Scanned 0 files: 23 alarms in 0 seconds (Avg -1.#IND files/sec)
19:22:42 [Scan] Finished.
Alarms:
Scan Control Dumped @ 19:24:22 20-01-05
Positive identification: TrojanDownloader.Win32.Agent.ct Dropper
File: c:\documents and settings\eric\local settings\temp\ab1.exe
Positive identification: Trojan.Win32.VB.kq Dropper
File: c:\documents and settings\eric\local settings\temp\mw_4s_stub.exe
Positive identification: TrojanDownloader.Win32.WinFetch.a
File: c:\documents and settings\eric\local settings\temp\qmtb.exe
Positive identification: Trojan.Win32.Septic.a Dropper
File: c:\documents and settings\eric\local settings\temp\sepinst.exe
Positive identification (embedded in file): Adware.NewDotNet (dll)
File: c:\program files\filesubmit\a letter to santa\nnezta388.exe
Positive identification: Adware.NewDotNet
File: c:\program files\filesubmit\a letter to santa\nnezta388.exe
Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
File: c:\program files\filesubmit\a letter to santa\tbeza127q.exe
Suspicious Filename: Dual extensions
File: c:\unzipped\nfsu_unlockers[1]\nfsu huvinyls for v1.3.0.exe
Positive identification: TrojanDownloader.Win32.Small.adu
File: c:\windows\e2g25.exe
Positive identification (DLL): TrojanDownloader.Win32.VB.ez1 (dll)
File: c:\windows\mm21.ocx
Positive identification: TrojanClicker.Win32.VB.ei
File: c:\windows\mmups.exe
so how do i remove all of these now ?
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at
http://www.greyknight17.com/download.htm#programs
***Security Programs Detected***
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.0
Scan saved at 7:57:38 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\Documents and Settings\Chris Rosa\Desktop\Chris Stuff\Progs\Spybot Removal\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.ptd.net/
O1 - Hosts: 64.91.255.87
www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windupdates.com/cab/CD...bridge-c11.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
O16 - DPF: {3E13AA37-352F-4E5F-91C4-08A0BA0C9541} -
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} -
http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
http://www.3dgroove.com/download/GrooveAX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) -
http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -
End of KRC HijackThis Analyzer Log.
====================================================================
