worm_chod.l

icemaid · 06-06-2006, 10:49 AM

Had this and i think i may have gotten most of it out, can you please check my logfile to see what i have missed.....Thanks

Logfile of HijackThis v1.99.1
Scan saved at 9:42:33 AM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F3 - REG:win.ini: load=""
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C4EB11A-2078-432E-92FE-0CB2ACD6D071} (m2wFTPClient.M2WFTPControl) - http://www.mail2world.com/mail/FTP/m2wFTPClient.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148669547596
O16 - DPF: {AF54BFA2-474E-4B82-A5F3-B79E6F7A80B1} (QuickBooks Online Edition Import Utilities Class v4) - https://accounting.quickbooks.com/c1...2/qboimax4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Hustler24 · 06-06-2006, 12:03 PM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.

Hustler24 · 06-06-2006, 12:54 PM

Please Download MsnVirRem.exe to your desktop from one of the following mirrors.

First close any other programs you have running as this will require a reboot
Double click MsnVirRem.exe to run it
Once open, click the button labelled "Search and Destroy"
<<Your computer will now be scanned for Infected Files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
A Message should popup from MsnVirRem if not, double click the program again and it will finish

Please Post the contents of C:\msnvirrem.log along with a fresh HijackThis log

icemaid · 06-06-2006, 01:25 PM

MsnVirRem Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to msnvirremOLD.log

Fix running from: C:\Documents and Settings\user\Desktop
6/6/2006
12:21:53 PM

Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 12:25:08 PM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MsnVirRem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C4EB11A-2078-432E-92FE-0CB2ACD6D071} (m2wFTPClient.M2WFTPControl) - http://www.mail2world.com/mail/FTP/m2wFTPClient.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148669547596
O16 - DPF: {AF54BFA2-474E-4B82-A5F3-B79E6F7A80B1} (QuickBooks Online Edition Import Utilities Class v4) - https://accounting.quickbooks.com/c1...2/qboimax4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Hustler24 · 06-06-2006, 02:15 PM

Your HJT log is clean but we'll run some other tools as a precaution.

lease print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

DOWNLOADS

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

-------------------------

Please download the trial version of Ewido anti-malware from here:
http://www.ewido.net/en/download/

Install Ewido anti-malware.
When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
The program will prompt you to update. Click the Ok button.
The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

On the left-hand side of the main screen click the Update Button.
Click on Start.
The update will start and a progress bar will show the updates being installed.

Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.

----------------------

SAFE MODE

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

CLEANUP!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK
Press the CleanUp! button to start the program. DO NOT reboot/logoff when prompted.

EWIDO

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.

Click on Scanner
Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
Click on Complete System Scan to start the scan process.
Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

Click Save Report button
Save the report to your Desktop

Close Ewido and Reboot in Normal Mode.

ONLINE SCAN

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJackThis log. and Ewido's log.

icemaid · 06-06-2006, 04:39 PM

Panda Scan Report:
Incident Status Location

Potentially unwanted tool:application/need2find Not disinfected c:\program files\Need2Find
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\user\Cookies\user@apmebf[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\user\Cookies\user@qksrv[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060526-133633.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060526-133634.backup
Spyware:Spyware/RXToolbar Not disinfected D:\WINDOWS\TEMP\Adware\RXToolbar.exe[sfcont.dll]
Spyware:Cookie/Xiti Not disinfected D:\WINDOWS\Cookies\unknown user@xiti[1].txt
Spyware:Cookie/Belnk Not disinfected D:\WINDOWS\Cookies\unknown user@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected D:\WINDOWS\Cookies\unknown user@dist.belnk[2].txt
Spyware:Cookie/Searchportal Not disinfected D:\WINDOWS\Cookies\unknown user@searchportal.information[1].txt
Spyware:Cookie/Banner Not disinfected D:\WINDOWS\Cookies\unknown user@banner[1].txt
Spyware:Cookie/Hbmediapro Not disinfected D:\WINDOWS\Cookies\unknown user@adopt.hbmediapro[2].txt
Spyware:Cookie/Atwola Not disinfected D:\WINDOWS\Cookies\unknown user@atwola[2].txt
Spyware:Cookie/Rn11 Not disinfected D:\WINDOWS\Cookies\unknown user@rn11[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected D:\WINDOWS\Cookies\unknown user@adultfriendfinder[2].txt
Spyware:Cookie/Btgrab Not disinfected D:\WINDOWS\Cookies\unknown user@btg.btgrab[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected D:\WINDOWS\Cookies\unknown user@desktop.kazaa[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected D:\WINDOWS\Cookies\unknown user@offeroptimizer[1].txt
Ewido Log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:57:52 PM, 6/6/2006
+ Report-Checksum: E3A8205D

+ Scan result:

C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@com[1].txt -> TrackingCookie.Com : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjmicicjkdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjlyaldpgap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@cliks[1].txt -> TrackingCookie.Cliks : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wflyeiajado.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjnyghczmfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjlywpcpkkq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjlogmd5gfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wfkiumdjwlp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjkoagajihq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjkykidpmco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjnyclcpcho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wfkoeod5gcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjnyomcjkdq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wflocjajogp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjkoaodpkgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@e-2dj6wjk4aid5khp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
D:\WINDOWS\Cookies\unknown user@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
D:\Program Files\TBONBin\TBON.EXE -> Adware.BetterInternet : Cleaned with backup
D:\Program Files\TBONBin\Uninstall.exe -> Adware.BetterInternet : Cleaned with backup

::Report End

Hijack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 3:36:19 PM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C4EB11A-2078-432E-92FE-0CB2ACD6D071} (m2wFTPClient.M2WFTPControl) - http://www.mail2world.com/mail/FTP/m2wFTPClient.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148669547596
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AF54BFA2-474E-4B82-A5F3-B79E6F7A80B1} (QuickBooks Online Edition Import Utilities Class v4) - https://accounting.quickbooks.com/c1...2/qboimax4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Thanks Much :-)

Hustler24 · 06-07-2006, 02:05 PM

SAFE MODE

Please reboot into Safe Mode as described earlier.

UNINSTALLS

Please uninstall the following via Add/Remove:

Need2Find

FILE DELETIONS

Please delete the following folders highlighted in blue:

c:\program files\ Need2Find
D:\WINDOWS\TEMP\ Adware
D:\Program Files\ TBONBin\

REGISTRY FIX

Please download the attached file. Double-click it and open the file inside.

When asked whether you would like to merge with the registry, click Yes.

This will remove some malware files from the registry.

DELETE COOKIES

Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies.

ONLINE SCAN

Reboot into Normal mode

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Post the Kaspersky log and a new HJT log.

How is your system performing now?

icemaid · 06-08-2006, 03:57 PM

Hey, Computer running much better so far :-).

I couldn't do the registry fix, when i clicked ok, i got the message: error opening file. May be a disk or file system error, but i did every thing else.

Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, June 08, 2006 2:52:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 8/06/2006
Kaspersky Anti-Virus database records: 199310
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 46568
Number of viruses found: 6
Number of infected objects: 8
Number of suspicious objects: 2
Duration of the scan process: 00:57:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\user\.housecall\Quarantine\rk.bin.bac_a03800 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k skipped
C:\Documents and Settings\user\.housecall\Quarantine\RK.EXE.bac_a03800 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k skipped
C:\Program Files\Norton AntiVirus\Quarantine\51C44343.htm Infected: Trojan-Clicker.JS.Linker.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\75D27C8C Infected: Email-Worm.Win32.Bagle.ey skipped
C:\Program Files\Norton AntiVirus\Quarantine\780E2321 Infected: Backdoor.Win32.VB.atw skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B992CF3.htm Infected: Trojan-Clicker.JS.Linker.h skipped
D:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc.zip/istsvc.exe Suspicious: Password-protected-EXE skipped
D:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc.zip ZIP: suspicious - 1 skipped
D:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-1bde2f45-7a3d6797.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
D:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-1bde2f45-7a3d6797.zip ZIP: infected - 1 skipped

Scan process completed.

Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 2:57:08 PM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FreeNote\freenote.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [FreeNote] C:\Program Files\FreeNote\freenote.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {5C4EB11A-2078-432E-92FE-0CB2ACD6D071} (m2wFTPClient.M2WFTPControl) - http://www.mail2world.com/mail/FTP/m2wFTPClient.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148669547596
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AF54BFA2-474E-4B82-A5F3-B79E6F7A80B1} (QuickBooks Online Edition Import Utilities Class v4) - https://accounting.quickbooks.com/c1...2/qboimax4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

greyknight17 · 06-13-2006, 05:55 PM

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\ and delete AltNETDm

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go. Please post back one more time to confirm.

icemaid · 06-16-2006, 02:17 PM

Thanks for all your help, running much, much, much better now :-)

06-06-2006, 10:49 AM	#1 (permalink)
icemaid Registered User Join Date: Jun 2006 Posts: 5 OS: XP	worm_chod.l Had this and i think i may have gotten most of it out, can you please check my logfile to see what i have missed.....Thanks Logfile of HijackThis v1.99.1 Scan saved at 9:42:33 AM, on 6/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe D:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\user\My Documents\Unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ F3 - REG:win.ini: load="" O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: csrss.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5C4EB11A-2078-432E-92FE-0CB2ACD6D071} (m2wFTPClient.M2WFTPControl) - http://www.mail2world.com/mail/FTP/m2wFTPClient.CAB O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148669547596 O16 - DPF: {AF54BFA2-474E-4B82-A5F3-B79E6F7A80B1} (QuickBooks Online Edition Import Utilities Class v4) - https://accounting.quickbooks.com/c1...2/qboimax4.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

06-06-2006, 12:54 PM	#3 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	Please Download MsnVirRem.exe to your desktop from one of the following mirrors. Mirror 1 Mirror 2 Mirror 3 First close any other programs you have running as this will require a reboot Double click MsnVirRem.exe to run it Once open, click the button labelled "Search and Destroy" <<Your computer will now be scanned for Infected Files>> When scanning is finished you will be prompted to reboot only if infected, Click OK Now click the "REBOOT" Button. After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue. A Message should popup from MsnVirRem if not, double click the program again and it will finish Please Post the contents of C:\msnvirrem.log along with a fresh HijackThis log

06-06-2006, 02:15 PM	#5 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	Your HJT log is clean but we'll run some other tools as a precaution. lease print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. DOWNLOADS Download and install CleanUp! but do not run it yet. WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. ------------------------- Please download the trial version of Ewido anti-malware from here: http://www.ewido.net/en/download/ Install Ewido anti-malware. When installing, under Additional Options uncheck Install background guard and Install scan via context menu. When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok. The program will prompt you to update. Click the Ok button. The program will now go to the main screen. You will need to update Ewido to the latest definition files. On the left-hand side of the main screen click the Update Button. Click on Start. The update will start and a progress bar will show the updates being installed. Once finished updating, close Ewido. If you are having problems with the updater, you can use this link to manually update ewido. Ewido manual updates. Make sure to close Ewido before installing the update. ---------------------- SAFE MODE Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. CLEANUP! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK Press the CleanUp!* button to start the program. DO NOT reboot/logoff when prompted. EWIDO Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan. Click on Scanner Click on Settings Under How to scan all boxes should be checked Under Unwanted Software all boxes should be checked Under What to scan select Scan every file Click on Ok Click on Complete System Scan to start the scan process. Let the program scan the machine. If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok. Once the scan has completed, there will be a button located on the bottom of the screen named Save Report. Click Save Report button Save the report to your Desktop Close Ewido and Reboot in Normal Mode. ONLINE SCAN Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan Paste the Panda Scan report here together with a new HiJackThis log. and Ewido's log.

06-13-2006, 05:55 PM	#9 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\ and delete AltNETDm If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Your log is clean. To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If not, you should be set to go. Please post back one more time to confirm. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

06-06-2006, 12:03 PM	#2 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. Please be patient with me during this time.

06-06-2006, 01:25 PM	#4 (permalink)
icemaid Registered User Join Date: Jun 2006 Posts: 5 OS: XP	MsnVirRem Log by Skate_Punk_21 Please Note: any existing old logs will have now been renamed to msnvirremOLD.log Fix running from: C:\Documents and Settings\user\Desktop 6/6/2006 12:21:53 PM Hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 12:25:08 PM, on 6/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\user\My Documents\Unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: MsnVirRem.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5C4EB11A-2078-432E-92FE-0CB2ACD6D071} (m2wFTPClient.M2WFTPControl) - http://www.mail2world.com/mail/FTP/m2wFTPClient.CAB O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148669547596 O16 - DPF: {AF54BFA2-474E-4B82-A5F3-B79E6F7A80B1} (QuickBooks Online Edition Import Utilities Class v4) - https://accounting.quickbooks.com/c1...2/qboimax4.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

06-06-2006, 04:39 PM	#6 (permalink)
icemaid Registered User Join Date: Jun 2006 Posts: 5 OS: XP	Panda Scan Report: Incident Status Location Potentially unwanted tool:application/need2find Not disinfected c:\program files\Need2Find Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\user\Cookies\user@apmebf[1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\user\Cookies\user@qksrv[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060526-133633.backup Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060526-133634.backup Spyware:Spyware/RXToolbar Not disinfected D:\WINDOWS\TEMP\Adware\RXToolbar.exe[sfcont.dll] Spyware:Cookie/Xiti Not disinfected D:\WINDOWS\Cookies\unknown user@xiti[1].txt Spyware:Cookie/Belnk Not disinfected D:\WINDOWS\Cookies\unknown user@belnk[1].txt Spyware:Cookie/Belnk Not disinfected D:\WINDOWS\Cookies\unknown user@dist.belnk[2].txt Spyware:Cookie/Searchportal Not disinfected D:\WINDOWS\Cookies\unknown user@searchportal.information[1].txt Spyware:Cookie/Banner Not disinfected D:\WINDOWS\Cookies\unknown user@banner[1].txt Spyware:Cookie/Hbmediapro Not disinfected D:\WINDOWS\Cookies\unknown user@adopt.hbmediapro[2].txt Spyware:Cookie/Atwola Not disinfected D:\WINDOWS\Cookies\unknown user@atwola[2].txt Spyware:Cookie/Rn11 Not disinfected D:\WINDOWS\Cookies\unknown user@rn11[2].txt Spyware:Cookie/adultfriendfinder Not disinfected D:\WINDOWS\Cookies\unknown user@adultfriendfinder[2].txt Spyware:Cookie/Btgrab Not disinfected D:\WINDOWS\Cookies\unknown user@btg.btgrab[2].txt Spyware:Cookie/Kazaa Networks Not disinfected D:\WINDOWS\Cookies\unknown user@desktop.kazaa[1].txt Spyware:Cookie/OfferOptimizer Not disinfected D:\WINDOWS\Cookies\unknown user@offeroptimizer[1].txt Ewido Log: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 2:57:52 PM, 6/6/2006 + Report-Checksum: E3A8205D + Scan result: C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup D:\WINDOWS\Cookies\unknown user@com[1].txt -> TrackingCookie.Com : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjmicicjkdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjlyaldpgap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@cliks[1].txt -> TrackingCookie.Cliks : Cleaned with backup D:\WINDOWS\Cookies\unknown user@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wflyeiajado.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjnyghczmfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjlywpcpkkq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjlogmd5gfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wfkiumdjwlp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjkoagajihq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjkykidpmco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjnyclcpcho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wfkoeod5gcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjnyomcjkdq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wflocjajogp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjkoaodpkgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup D:\WINDOWS\Cookies\unknown user@e-2dj6wjk4aid5khp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup D:\WINDOWS\Cookies\unknown user@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : Cleaned with backup D:\WINDOWS\Cookies\unknown user@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup D:\WINDOWS\Cookies\unknown user@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup D:\Program Files\TBONBin\TBON.EXE -> Adware.BetterInternet : Cleaned with backup D:\Program Files\TBONBin\Uninstall.exe -> Adware.BetterInternet : Cleaned with backup ::Report End Hijack This Log: Logfile of HijackThis v1.99.1 Scan saved at 3:36:19 PM, on 6/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\user\My Documents\Unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5C4EB11A-2078-432E-92FE-0CB2ACD6D071} (m2wFTPClient.M2WFTPControl) - http://www.mail2world.com/mail/FTP/m2wFTPClient.CAB O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148669547596 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AF54BFA2-474E-4B82-A5F3-B79E6F7A80B1} (QuickBooks Online Edition Import Utilities Class v4) - https://accounting.quickbooks.com/c1...2/qboimax4.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe Thanks Much :-)

06-08-2006, 03:57 PM	#8 (permalink)
icemaid Registered User Join Date: Jun 2006 Posts: 5 OS: XP	Hey, Computer running much better so far :-). I couldn't do the registry fix, when i clicked ok, i got the message: error opening file. May be a disk or file system error, but i did every thing else. Kaspersky log: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Thursday, June 08, 2006 2:52:58 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 8/06/2006 Kaspersky Anti-Virus database records: 199310 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 46568 Number of viruses found: 6 Number of infected objects: 8 Number of suspicious objects: 2 Duration of the scan process: 00:57:24 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\user\.housecall\Quarantine\rk.bin.bac_a03800 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k skipped C:\Documents and Settings\user\.housecall\Quarantine\RK.EXE.bac_a03800 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k skipped C:\Program Files\Norton AntiVirus\Quarantine\51C44343.htm Infected: Trojan-Clicker.JS.Linker.h skipped C:\Program Files\Norton AntiVirus\Quarantine\75D27C8C Infected: Email-Worm.Win32.Bagle.ey skipped C:\Program Files\Norton AntiVirus\Quarantine\780E2321 Infected: Backdoor.Win32.VB.atw skipped C:\Program Files\Norton AntiVirus\Quarantine\7B992CF3.htm Infected: Trojan-Clicker.JS.Linker.h skipped D:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc.zip/istsvc.exe Suspicious: Password-protected-EXE skipped D:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc.zip ZIP: suspicious - 1 skipped D:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-1bde2f45-7a3d6797.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped D:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-1bde2f45-7a3d6797.zip ZIP: infected - 1 skipped Scan process completed. Hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 2:57:08 PM, on 6/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\FreeNote\freenote.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\user\My Documents\Unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [FreeNote] C:\Program Files\FreeNote\freenote.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {5C4EB11A-2078-432E-92FE-0CB2ACD6D071} (m2wFTPClient.M2WFTPControl) - http://www.mail2world.com/mail/FTP/m2wFTPClient.CAB O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148669547596 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AF54BFA2-474E-4B82-A5F3-B79E6F7A80B1} (QuickBooks Online Edition Import Utilities Class v4) - https://accounting.quickbooks.com/c1...2/qboimax4.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

06-16-2006, 02:17 PM	#10 (permalink)
icemaid Registered User Join Date: Jun 2006 Posts: 5 OS: XP	Thanks for all your help, running much, much, much better now :-)