Avast says i'm being attacked??

[Poyan83]

I get a contant message something like:

"avast has blocked an attack from d.com exploit 86.132.151.232/tcp"

Eeer not totally sure if that's accurate word for word, but do u guys have any ideas if that means i'm being hacked?

Also, i've had a problems with win32:Adan before and its come up again.

You guys have helped me before so i'm kitted out with ewido, adaware, cleanup, and microsoft antispyware. I also use cws shredder and HJT... here's my log... is there anything wrong?
--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:13:54, on 08/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\O_o''\Desktop\HJT\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116756571931
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A69AE0E-5DF8-491B-97F7-A9B9750147D5}: NameServer = 194.72.9.39 194.74.65.68
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks!

[Ried]

Hello Poyan83,

I'm not seeing anything in this log.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use CTRL C on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

[Poyan83]

Wow i didn't know there was so much stuff on my computer! O_o'' I thought that i was quite careful...

File C:\WINDOWS\System32\msmsngr.exe infected by "Backdoor.Win32.SdBot.zj" Virus! Action Taken: No Action Taken.
Object "Bargain Buddy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Bargain Buddy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Bargain Buddy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ameopt Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180Solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "eZula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxwma.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxsfs.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxinsa64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxinsi64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxcpya64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxcpyi64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_deu.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_jpn.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Jpn.nls". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0C5B0CED-206B-4c39-B615-0EB23C824612}" refers to invalid object "C:\Program Files\Common Files\Adobe\Shell\AIIcon.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{60765DA0-651A-49F0-9B99-5F8A3AD31D9E}" refers to invalid object "C:\Program Files\BT Broadband Basic Help\bin\BTBBUtils.dll". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.WiaProtocol.2" refers to invalid object "{7210ABEE-76C5-084E-9214-149756915579}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
File C:\WINDOWS\thin-114-1-x-x.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File C:\WINDOWS\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\weirdontheweb_topc.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\DOCUME~1\O_o''\LOCALS~1\Temp\Del2A.tmp infected by "Trojan-Downloader.Win32.Small.asf" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\O_o''\LOCALS~1\Temp\Del4E.tmp tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\DOCUME~1\O_o''\LOCALS~1\Temp\i1F.tmp tagged as "not-a-virus:AdWare.SurfSide.j". Action Taken: No Action Taken.
File C:\DOCUME~1\O_o''\LOCALS~1\Temp\nst40.EXE tagged as "not-a-virus:AdWare.SmartPops.c". Action Taken: No Action Taken.
File C:\DOCUME~1\O_o''\LOCALS~1\Temp\res34.tmp tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\DOCUME~1\O_o''\LOCALS~1\TEMPOR~1\Content.IE5\6XONIVIV\package_adp_SIAC[1].exe tagged as "not-a-virus:AdWare.BargainBuddy.n". Action Taken: No Action Taken.
File C:\DOCUME~1\O_o''\LOCALS~1\TEMPOR~1\Content.IE5\6XONIVIV\screensaver[1].exe tagged as "not-a-virus:AdWare.WinAD.ab". Action Taken: No Action Taken.
File C:\DOCUME~1\O_o''\LOCALS~1\TEMPOR~1\Content.IE5\EDU7IXSP\1[1].txt tagged as "not-a-virus:AdWare.SmartPops.c". Action Taken: No Action Taken.
File C:\DOCUME~1\O_o''\LOCALS~1\TEMPOR~1\Content.IE5\EDU7IXSP\regular_plugin[1].exe infected by "Trojan-Downloader.Win32.IstBar.ja" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\O_o''\LOCALS~1\TEMPOR~1\Content.IE5\EZQD6ROP\nem220[1].dll infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\O_o''\Local Settings\Temp\Del2A.tmp infected by "Trojan-Downloader.Win32.Small.asf" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\O_o''\Local Settings\Temp\Del4E.tmp tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Documents and Settings\O_o''\Local Settings\Temp\i1F.tmp tagged as "not-a-virus:AdWare.SurfSide.j". Action Taken: No Action Taken.
File C:\Documents and Settings\O_o''\Local Settings\Temp\nst40.EXE tagged as "not-a-virus:AdWare.SmartPops.c". Action Taken: No Action Taken.
File C:\Documents and Settings\O_o''\Local Settings\Temp\res34.tmp tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Documents and Settings\O_o''\Local Settings\Temporary Internet Files\Content.IE5\6XONIVIV\package_adp_SIAC[1].exe tagged as "not-a-virus:AdWare.BargainBuddy.n". Action Taken: No Action Taken.
File C:\Documents and Settings\O_o''\Local Settings\Temporary Internet Files\Content.IE5\6XONIVIV\screensaver[1].exe tagged as "not-a-virus:AdWare.WinAD.ab". Action Taken: No Action Taken.
File C:\Documents and Settings\O_o''\Local Settings\Temporary Internet Files\Content.IE5\EDU7IXSP\1[1].txt tagged as "not-a-virus:AdWare.SmartPops.c". Action Taken: No Action Taken.
File C:\Documents and Settings\O_o''\Local Settings\Temporary Internet Files\Content.IE5\EDU7IXSP\regular_plugin[1].exe infected by "Trojan-Downloader.Win32.IstBar.ja" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\O_o''\Local Settings\Temporary Internet Files\Content.IE5\EZQD6ROP\nem220[1].dll infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\25A14E21-30F2-4324-A352-E249C2\3CF438CC-B18F-4FFD-9886-490EC9 tagged as "not-a-virus:AdWare.BargainBuddy.n". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\40EC7A25-DF10-4B24-B089-0282E9\6D8FD8DB-F5BD-49D3-84EB-763C01 tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\40EC7A25-DF10-4B24-B089-0282E9\CAB4FF13-ECA4-4FE6-8270-0D5468 tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\C54DE315-3140-4C41-92C1-8E3D9B\0B26506B-39F6-4533-9D82-9BF7C6 infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\C54DE315-3140-4C41-92C1-8E3D9B\D10639DF-67BE-44F2-A3C5-A6723C infected by "Trojan-Downloader.Win32.Dyfuca.du" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\C54DE315-3140-4C41-92C1-8E3D9B\D9359629-9808-4F9C-B7DE-A6A431 infected by "Trojan-Downloader.Win32.Dyfuca.ei" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\D991E850-E04D-4A48-90FE-F41B7F\98FD7766-4B3E-4911-A2BE-94F880 tagged as "not-a-virus:AdWare.Sahat.ad". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\E5747D87-F53C-4FF3-8728-1FD24A\8B35E5C3-6F7C-4084-88FC-59290A tagged as "not-a-virus:AdWare.WinAD.ab". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\2725C355-6271-4820-9FC5-EAA8EB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\4688E5C5-B34C-4163-894E-322542 tagged as "not-a-virus:AdWare.ToolBar.Ucmore". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\4E58FF70-ABE6-4D08-AF66-3B8223 tagged as "not-a-virus:AdWare.ToolBar.Ucmore.a". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\FF26A467-D4A9-4C73-A481-661325\716A6F77-9E0D-45D4-9EE9-AE22E0 tagged as "not-a-virus:AdWare.WinAD.ab". Action Taken: No Action Taken.
File C:\Program Files\Opera\uninst\unwise.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\screensaver.exe tagged as "not-a-virus:AdWare.WinAD.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP28\A0002645.exe tagged as "not-a-virus:Porn-Dialer.Win32.GBDialer.d". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP42\A0007139.exe tagged as "not-a-virus:AdWare.WinAD.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP42\A0007146.exe tagged as "not-a-virus:AdWare.Sahat.ag". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP42\A0007147.exe tagged as "not-a-virus:AdWare.Sahat.ah". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP42\A0007148.dll tagged as "not-a-virus:AdWare.Sahat.ad". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP42\A0007149.exe tagged as "not-a-virus:AdWare.Sahat.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP42\A0007156.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP42\A0007157.exe tagged as "not-a-virus:AdWare.WinAD.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP42\A0007189.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP6\A0000200.exe infected by "Trojan.Win32.Stervis.c" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP8\A0001053.exe tagged as "not-a-virus:AdWare.BetterInternet.b". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3F4745B8-6B04-4913-B9A7-9A5E81107D72}\RP8\A0001178.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Temp\SexyVideoScreenSaver.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\cdmweb\kkbhvfwqbg.exe tagged as "not-a-virus:AdWare.SmartPops.c". Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9I3GZSO\screensaver[1].exe tagged as "not-a-virus:AdWare.WinAD.ab". Action Taken: No Action Taken.
File C:\WINDOWS\thin-114-1-x-x.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File C:\WINDOWS\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\weirdontheweb_topc.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\yspweb.exe infected by "Trojan-Downloader.Win32.IstBar.ja" Virus! Action Taken: No Action Taken.

Should i try to get a serial for the software?

[skate_punk_21]

no serial needed.

Downloads
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it. DO NOT RUN IT YET

Download Killbox


Run Downloaded Programs
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\thin-114-1-x-x.exe
C:\WINDOWS\weirdontheweb_topc.exe
C:\yspweb.exe
C:\screensaver.exe


Run CleanUp! Set the program up as follows:

• Click "Options..."
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following:
  
• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.


Further Scanning
Please run a Scan at the Following site
Panda ActiveScan
You will be given an option to save the Log from this scan.
Save that Log!! and post it here in a new reply

Skate_Punk_21

[Poyan83]

Hey man, i followed your instructions religously...

I checked the four files you wanted me to remove with killbox and they're gone now.

But in my C:\ there's something called "freecontentz.exe" and it says its a Smartloader MFC Application. You have any idea what it is??

Anyways here's my pandascan;



Incident Status Location

Virus:W32/Gaobot.FCZ.worm Disinfected Operating system
Adware:Adware/Ucmore No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\System32\bbchk.exe
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Spyware:Spyware/Bridge No disinfected Windows Registry
Virus:Trj/Downloader.CQL Disinfected C:\freecontentz.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\25A14E21-30F2-4324-A352-E249C2\3CF438CC-B18F-4FFD-9886-490EC9
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\40EC7A25-DF10-4B24-B089-0282E9\6D8FD8DB-F5BD-49D3-84EB-763C01
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\40EC7A25-DF10-4B24-B089-0282E9\CAB4FF13-ECA4-4FE6-8270-0D5468
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C54DE315-3140-4C41-92C1-8E3D9B\0B26506B-39F6-4533-9D82-9BF7C6
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C54DE315-3140-4C41-92C1-8E3D9B\D10639DF-67BE-44F2-A3C5-A6723C
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C54DE315-3140-4C41-92C1-8E3D9B\D9359629-9808-4F9C-B7DE-A6A431
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D991E850-E04D-4A48-90FE-F41B7F\98FD7766-4B3E-4911-A2BE-94F880
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E5747D87-F53C-4FF3-8728-1FD24A\8B35E5C3-6F7C-4084-88FC-59290A
Adware:Adware/Ucmore No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\4688E5C5-B34C-4163-894E-322542
Adware:Adware/Ucmore No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\4CF45B8C-3C5F-43C5-857F-086C41
Adware:Adware/Ucmore No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\4E58FF70-ABE6-4D08-AF66-3B8223
Adware:Adware/Ucmore No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\90826F04-9B5B-4723-B25C-C85D32
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\FF26A467-D4A9-4C73-A481-661325\716A6F77-9E0D-45D4-9EE9-AE22E0
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\msxct1.ini
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\bbchk.exe
Adware:Adware/DownloadWare No disinfected C:\WINDOWS\system32\cdmweb\kkbhvfwqbg.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9I3GZSO\screensaver[1].exe
Virus:W32/Gaobot.FCZ.worm Disinfected C:\WINDOWS\system32\winsci.exe
Thanks!

[skate_punk_21]

Hope you kept those programs!
if not use the download links in my prior post.


Tell me If that "freecontentz.exe" is still there now... If not, ignore the reference to it below

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\System32\bbchk.exe
C:\Program Files\Common Files\Totem Shared
C:\freecontentz.exe
C:\WINDOWS\msxct1.ini
C:\WINDOWS\system32\bbchk.exe
C:\WINDOWS\system32\cdmweb\kkbhvfwqbg.exe

Reboot your system - Normal Mode is fine


Run CleanUp! Set the program up as follows:

• Click "Options..."
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following:
  
• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot your system - Normal Mode is fine

Aside from that, hows everything feeling now??

[Poyan83]

Did u say to do those things in normal mode? Well i wasn't sure so i did them in safe mode anyways...

Those files are gone now! ^^

Did another escan... don't really know if my computer is good or not, everything seems fine...


Object "Bargain Buddy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Bargain Buddy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Bargain Buddy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ameopt Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180Solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxwma.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxsfs.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxinsa64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxinsi64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxcpya64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxcpyi64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_deu.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_jpn.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Jpn.nls". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0C5B0CED-206B-4c39-B615-0EB23C824612}" refers to invalid object "C:\Program Files\Common Files\Adobe\Shell\AIIcon.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{60765DA0-651A-49F0-9B99-5F8A3AD31D9E}" refers to invalid object "C:\Program Files\BT Broadband Basic Help\bin\BTBBUtils.dll". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.WiaProtocol.2" refers to invalid object "{7210ABEE-76C5-084E-9214-149756915579}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
File C:\WINDOWS\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

See anything? Should i do another scan using a different program?

[skate_punk_21]

That log looks good... How are things running?

Run a scan at the site below - at the end when given the option, save a logfile, and post its contents in this thread.

Panda ActiveScan

Things should be running much better now.

[Poyan83]

There certainly seems to be a lot less things found on the scan, which must be a good thing! Here's the pandascan log:



Incident Status Location

Adware:Adware/Ucmore No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Spyware:Spyware/Bridge No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\25A14E21-30F2-4324-A352-E249C2\3CF438CC-B18F-4FFD-9886-490EC9
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\40EC7A25-DF10-4B24-B089-0282E9\6D8FD8DB-F5BD-49D3-84EB-763C01
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\40EC7A25-DF10-4B24-B089-0282E9\CAB4FF13-ECA4-4FE6-8270-0D5468
Adware:Adware/DownloadWare No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4296FA50-84C3-4852-B95D-A5D65C\1B5F212D-1618-42FB-B71C-74068E
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C54DE315-3140-4C41-92C1-8E3D9B\0B26506B-39F6-4533-9D82-9BF7C6
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C54DE315-3140-4C41-92C1-8E3D9B\D10639DF-67BE-44F2-A3C5-A6723C
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C54DE315-3140-4C41-92C1-8E3D9B\D9359629-9808-4F9C-B7DE-A6A431
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D991E850-E04D-4A48-90FE-F41B7F\98FD7766-4B3E-4911-A2BE-94F880
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E5747D87-F53C-4FF3-8728-1FD24A\8B35E5C3-6F7C-4084-88FC-59290A
Adware:Adware/Ucmore No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\4688E5C5-B34C-4163-894E-322542
Adware:Adware/Ucmore No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\4CF45B8C-3C5F-43C5-857F-086C41
Adware:Adware/Ucmore No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\4E58FF70-ABE6-4D08-AF66-3B8223
Adware:Adware/Ucmore No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E78EB6B0-538F-4EAC-9C3D-A05948\90826F04-9B5B-4723-B25C-C85D32
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\FF26A467-D4A9-4C73-A481-661325\716A6F77-9E0D-45D4-9EE9-AE22E0
Adware:Adware/WUpd No disinfected C:\Program Files\Opera\profile\cache4\opr00T9R.htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9I3GZSO\screensaver[1].exe

Generally my computer is working fine. But in someways i'm not really sure if i have adaware or trojans. I've uninstalled avast because i feel that its wasting my memory and it doesn't really solve problems but it identifies them. Also, i've stopped using IE aswell because its really prone to attacks etc (so i'm told) and i use Opera now. Sometimes when i do use IE it crashes, which is kinda strange.

What scheduled scans would u suggest that i do every night? And using which programs?

[skate_punk_21]

Thats looking good

Reboot to safe mode & delete these files, and immediately empty your recycling bin:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9I3GZSO\screensaver[1].exe
C:\Program Files\Opera\profile\cache4\opr00T9R.htm
C:\Program Files\Common Files\Totem Shared <<--folder

Reboot to normal mode and your good to go!

I dont reccomend uninstalling IE, as it is needed to obtain critical windows updates, but alternate browsers are a good idea!


Crashes in your system can be from a corrupt system file somewhere along the lines...

Try this --You may need to reinstall some windows updates (thus IE is needed)--
go to "Start|Run" and type sfc /scannow this will check your system for missing or corrupt files, you may be asked for your windows installation CD, so keep it handy if you decide to go for it.

Otherwise:

Congratulations Your Log is Clean!!


System Restore

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.



Windows Updates
I Highly reccomend making the upgrade to Windows XP Service pack 1 & Service Pack 2 Since you're junkware free, the time to get it is NOW. Service Pack 2 is a MAJOR upgrade for XP. It is chalk full of security patches and such, as well it comes with a Free Popup Blocker!!!!!


Preventative Measures

This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?.

Also Consider...

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewalll
• ZoneAlarm

How is she running now? Any further problems? If not, Good work, and Happy Computing!

[Poyan83]

Hey man, thanks a lot for all your help!

I deleted all of those files and they're gone now. I couldn't seem to find
"C:\Program Files\Opera\profile\cache4\opr00T9R.htm", but i'm assuming that cleanup might have cleared all the cache files?? Hmmm....

Err, wow that's a lot of programs to download and run in order to prevent viruses and stuff :S ok... thanks again!! ^^

Pui-Yan

[skate_punk_21]

lol, you dont need alllllllllllllll those programs!!!
lol 1 firewall is usually enough, but the spyware things you could use all 3 of...
glad i could help
Skate_Punk_21