|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-13-2005, 12:58 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 60
OS: XP Pro
|
Nameserver prob
Hi,
I'm running XP home with all the latest updates, with AD-Aware SE personal Edition and ZeroSpyware LE, but i can't get rid of these few things that keep showing up in the log that cause (what look like) official Windows Security pop ups and open up websites i'd rather not visit . Also they seen to slow down my computer and make it crash all the time . I've got everything up to date but i can't system restore (don't know if theres a link here cos i could before) and can't get rid of these few bits. I've posted it here and hope someone can help Logfile of HijackThis v1.97.7 Scan saved at 20:54:41, on 13/07/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\msole32.exe C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\WINDOWS\System32\BtUsrBdg.exe C:\WINDOWS\System32\BTSetBootKey.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Avant Browser\avant.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\System32\RunDll32.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\Program Files\Avant Browser\avant.exe C:\WINDOWS\System32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btbroadbandstart.com/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121104012062 O17 - HKLM\System\CCS\Services\Tcpip\..\{AE166989-A8A9-4DD6-A1B4-8E08E2AAEB3F}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{B74981C0-A043-44ED-9222-A406510EF3BF}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{D74D6144-A420-4CC0-97EC-9F10E668DB9D}: NameServer = 69.50.188.180 85.255.112.5 |
|
     |
| Sponsored Links |
|
07-13-2005, 01:27 PM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Hi and Welcome to TSF!
Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". There seems to be no anti-virus application installed on this machine. Anti-virus programs protect against infections. Without one, you're vulnerable to every virus, spyware program, trojan and piece of malware that is floating around out there. I urge you to install an anti-virus program as quickly as possible. Please choose one from these 3 free programs that are available for home use: It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. It is also important you don't miss a step and perform everything in the right order!!. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. You are currently running an outdated version of HiJackThis. Please click on the link below to download the most current version:Delete your current HiJackThis.exe file and double-click on the file you just downloaded and then click on the Unzip button to install the newer version. It will be installed to the C:\Program Files\HiJackThis\ directory by default. I would require your next HJT log to be from this newer version Please do not run Hijackthis from it's current location. Create a permanent folder and move hijackthis.exe into it.
~~~~~~~~~~~~~~ Please download these additional files/programs :- (Do not run them unless instructed to do so) Unplug your computer from the Internet when you have finished downloading Place a shortcut to Panda ActiveScan on your desktop. Download smitRem.zip and save the file to your desktop. Right click on the file and extract it to it's own folder on the desktop. Download & Install CleanUp! Download Ewido Security Suite - Install & Update it's database but do not run it yet. If you have not already installed Ad-Aware SE 1.06, download and update Ad-Aware SE Setup. Don't run it yet! ~~~~~~~~~~~~~~ ZeroSpyware - These programs are rogueware and we highly recommend that you uninstall them. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection. Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :
~~~~~~~~~~~~~~ Reboot to SafeMode
~~~~~~~~~~~~~~ Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ O17 - HKLM\System\CCS\Services\Tcpip\..\{AE166989-A8A9-4DD6-A1B4-8E08E2AAEB3F}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{B74981C0-A043-44ED-9222-A406510EF3BF}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{D74D6144-A420-4CC0-97EC-9F10E668DB9D}: NameServer = 69.50.188.180 85.255.112.5 ~~~~~~~~~~~~~~ Enable the viewing of Hidden files
Locate and delete the following folder(s), if present: C:\Program Files\FBM Software\~~~~~~~~~~~~~~ Run Cleanup! & configure the program up as follows:
~~~~~~~~~~~~~~ Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ~~~~~~~~~~~~~~ Open Ad-aware and close ALL other windows.
~~~~~~~~~~~~~~ Run Ewido:
~~~~~~~~~~~~~~ Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present. Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log, smitfiles.txt and the Ewido Log. Let us know if any problems persist.
__________________
|
|
|
|
|
07-14-2005, 10:34 AM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 60
OS: XP Pro
|
Thanks,
Have downloaded on the software you mentioned, but can't uninstall zerospyware le. It does'nt appear in add/remove programs listing and selecting uninstall from the programs own roll out, it says some files are missing and aborts the uninstallation. Is there another way of uninstalling software. i don't want to just delete it. When this is sorted i'll continue with the rest of your advice. cheers |
|
|
|
|
07-14-2005, 10:45 AM
|
#4 (permalink) | ||
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Let's ignore ZeroSpyware for the moment. I found some disturbing news about it. You may be interested to read it..
Quote:
__________________
|
||
|
|
|
|
07-14-2005, 12:55 PM
|
#5 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 60
OS: XP Pro
|
Hi
Done eveything you said, heres the log files first the Hijack this log. I deleted the nameserver files you requested but left the Zerospyware stuff after reading your last post. Logfile of HijackThis v1.99.1 Scan saved at 23:00:31, on 13/07/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\msole32.exe C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\WINDOWS\System32\BtUsrBdg.exe C:\WINDOWS\System32\BTSetBootKey.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Avant Browser\avant.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\System32\RunDll32.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Avant Browser\avant.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Grisoft\AVG Free\avgemc.exe C:\Program Files\Grisoft\AVG Free\avgcc.exe C:\Documents and Settings\Owner\Desktop\hijackthis_sfx.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121104012062 O17 - HKLM\System\CCS\Services\Tcpip\..\{AE166989-A8A9-4DD6-A1B4-8E08E2AAEB3F}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{B74981C0-A043-44ED-9222-A406510EF3BF}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{D74D6144-A420-4CC0-97EC-9F10E668DB9D}: NameServer = 69.50.188.180 85.255.112.5 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBM Software - C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Alias ImageStudio Render Queue (renderqueue) - Unknown owner - C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE I then ran the smitRem program heres the logfile Pre-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ system32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ Post-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ system32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Wininet.dll ~~~ Not Infected! Then the Ewido logfile note one file the program wanted couldn't be deleted from the System Volume Information folder without deleting the whole archive(a windows warning popped up) so i left it, i'll wait for your advice on this, i made a note of the exact file but its very long. --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 20:34:00, 14/07/2005 + Report-Checksum: E9B59153 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{44A4F449-ADED-A513-8AE7-5A3DDF205F49} -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\ToolBand.ToolBandHelper -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\ToolBand.ToolBandHelper\CLSID -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\ToolBand.ToolBandHelper\CurVer -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B} -> Spyware.ASSbar : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B} -> Spyware.ASSbar : Cleaned with backup HKU\S-1-5-21-4269178923-4130427461-1301604636-1003\Software\WareOut -> TrojanDownloader.Wareout : Cleaned with backup HKU\S-1-5-21-4269178923-4130427461-1301604636-1003\Software\WareOut\FirstRun -> TrojanDownloader.Wareout : Cleaned with backup HKU\S-1-5-21-4269178923-4130427461-1301604636-1003\Software\WareOut\Options -> TrojanDownloader.Wareout : Cleaned with backup HKU\S-1-5-21-4269178923-4130427461-1301604636-1003\Software\WareOut\Registration -> TrojanDownloader.Wareout : Cleaned with backup C:\compaq\lutil\WizHost.exe -> Heuristic.Win32.Dialer : Cleaned with backup C:\Documents and Settings\Owner\Application Data\wtta.exe -> Spyware.PurityScan : Cleaned with backup C:\Program Files\FBM Software\ZeroSpyware Limited Edition\BackUp\WINXP\Owner\Win.ini:gwwyv -> TrojanDownloader.Agent.bc : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP52\A0053446.dll -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP59\A0055752.exe -> TrojanDropper.Small.ue : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP59\A0055753.exe -> TrojanDropper.Small.ue : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP59\A0055823.dll -> TrojanDownloader.Agent.bc : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP59\A0055834.EXE:srrfeg -> Spyware.SearchPage : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP60\A0055837.exe -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP61\A0055846.exe -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP61\A0055856.dll -> TrojanDownloader.Agent.bc : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP61\A0055857.dll -> TrojanDownloader.Agent.bc : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP61\A0055868.dll -> TrojanDownloader.Agent.bc : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP61\A0055870.dll -> TrojanDownloader.Agent.bc : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP61\A0055874.exe -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP61\A0055875.dll -> TrojanDownloader.Agent.bc : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP63\A0056635.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP63\A0056640.exe -> TrojanDownloader.Zlob.w : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP63\A0056643.exe -> TrojanDropper.Small.acb : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP63\A0056652.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP63\A0056677.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP63\A0056686.exe -> TrojanDownloader.Zlob.w : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP63\A0056689.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP63\A0056698.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP64\A0056708.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP64\A0056713.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP64\A0056714.exe -> Spyware.FindSpy : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP64\A0056738.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP64\A0056746.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP64\A0056747.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP64\A0056748.exe -> Spyware.FindSpy : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP64\A0056781.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP64\A0056789.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056818.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056823.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056831.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056832.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056839.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056847.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056853.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056855.exe -> Spyware.FindSpy : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056858.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056866.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP65\A0056867.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP66\A0056878.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP66\A0056880.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP66\A0056887.exe -> Spyware.FindSpy : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP66\A0056934.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP66\A0056942.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP67\A0056946.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP67\A0056956.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP67\A0056958.exe -> Spyware.FindSpy : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP67\A0057005.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP67\A0057013.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP67\A0057052.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP70\A0057097.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP70\A0057130.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0057730.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0057848.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0057857.exe/UCMTSAIE.DLL -> Spyware.UCmore : Error during cleaning C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0057857.exe/IUCMORE.DLL -> Spyware.UCmore : Error during cleaning C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0057858.exe -> TrojanDownloader.Small.aou : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0057859.dll -> TrojanDownloader.Agent.ns : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0058051.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0058058.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0058255.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0059255.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0060255.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0060262.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0060266.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0060267.exe -> Spyware.FindSpy : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0060298.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0060306.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0060322.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0060358.exe -> Spyware.FindSpy : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0060359.dll -> TrojanSpy.Agent.am : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0060742.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0060748.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0061740.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0061748.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0061791.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0061798.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0061810.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0061818.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP94\A0061819.exe -> Spyware.FindSpy : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0061855.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0061863.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0061867.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0061875.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0061879.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0061887.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0061900.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0061908.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0061925.exe -> Spyware.FindSpy : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0061932.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062100.exe -> Trojan.TopAntiSpyware : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062101.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\WINDOWS\addmu32.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\deinstall.exe -> Trojan.Krepper.ak : Cleaned with backup C:\WINDOWS\Downloaded Program Files\gdnFR1383.exe -> TrojanDownloader.Small.ayl : Cleaned with backup C:\WINDOWS\ipun32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\jgtfr.txt:xjrndq -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\ODBC.INI:wbkmv -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\ODBCINST(2)(2).INI:ikanpd -> TrojanDownloader.Agent.jb : Cleaned with backup C:\WINDOWS\ODBCINST(2).INI:ikanpd -> TrojanDownloader.Agent.jb : Cleaned with backup C:\WINDOWS\ODBCINST(3).INI:ikanpd -> TrojanDownloader.Agent.jb : Cleaned with backup C:\WINDOWS\ODBCINST(4).INI:ikanpd -> TrojanDownloader.Agent.jb : Cleaned with backup C:\WINDOWS\OEWABLog.txt:fophdb -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\orun32(2).ini:tltsjn -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\orun32(3).ini:tltsjn -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\orun32(4).ini:tltsjn -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\SchedLgU.Txt:oyxma -> TrojanDownloader.Agent.jb : Cleaned with backup C:\WINDOWS\SchedLgU.Txt:rjgtnd -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\smscfg(2).ini:zzaxx -> Spyware.Ipyn : Cleaned with backup C:\WINDOWS\smscfg(3).ini:zzaxx -> Spyware.Ipyn : Cleaned with backup C:\WINDOWS\system32\cckwk.exe -> Backdoor.Agent.jo : Cleaned with backup C:\WINDOWS\system32\d3wc.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\system32\fxeetdoo.exe -> Trojan.Pakes : Cleaned with backup C:\WINDOWS\system32\gwzg.exe -> Backdoor.Agent.jo : Cleaned with backup C:\WINDOWS\system32\iexplore.exe -> Backdoor.PoeBot.b : Cleaned with backup C:\WINDOWS\system32\jnkj.exe -> TrojanDropper.Agent.mm : Cleaned with backup C:\WINDOWS\system32\kbsdk.exe -> Backdoor.Agent.jo : Cleaned with backup C:\WINDOWS\system32\mfcmf.dll -> TrojanDownloader.Agent.bc : Cleaned with backup C:\WINDOWS\system32\msfr32.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\system32\nzrif.exe -> Backdoor.Agent.jo : Cleaned with backup C:\WINDOWS\system32\ogdqk.exe -> Backdoor.Agent.jo : Cleaned with backup C:\WINDOWS\system32\oiabjst.exe -> TrojanProxy.Ranky : Cleaned with backup C:\WINDOWS\system32\paydial.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\system32\paytime.exe -> TrojanDownloader.Harnig.aj : Cleaned with backup C:\WINDOWS\system32\qzbdpmx.exe -> Backdoor.Agent.jo : Cleaned with backup C:\WINDOWS\system32\rtvk.exe -> Backdoor.Agent.jo : Cleaned with backup C:\WINDOWS\system32\tvkel.exe -> TrojanDropper.Agent.mm : Cleaned with backup C:\WINDOWS\system32\vlpvne.exe -> Backdoor.Agent.jo : Cleaned with backup C:\WINDOWS\system32\xftq.exe -> TrojanDropper.Agent.lt : Cleaned with backup C:\WINDOWS\system32\ypuaqso.exe -> Backdoor.Agent.jo : Cleaned with backup C:\WINDOWS\system32\zoamk.exe -> TrojanDropper.Agent.mm : Cleaned with backup C:\WINDOWS\tool.exe -> TrojanDownloader.Small.aqt : Cleaned with backup C:\WINDOWS\tool1.exe -> Trojan.LowZones.y : Cleaned with backup C:\WINDOWS\vbaddin(2).ini:nkyrr -> Spyware.Ipyn : Cleaned with backup C:\WINDOWS\vbaddin(2).ini:xnhmr -> TrojanDownloader.Agent.jb : Cleaned with backup C:\WINDOWS\win.ini:gwwyv -> TrojanDownloader.Agent.bc : Cleaned with backup C:\WINDOWS\_default(2)(2).pif:addgam -> Spyware.SearchPage : Cleaned with backup C:\WINDOWS\_default(2)(2).pif:bthhd -> Spyware.Ipyn : Cleaned with backup C:\WINDOWS\_default(2)(2).pif:kwxgt -> TrojanDownloader.Agent.jb : Cleaned with backup C:\WINDOWS\_default(2)(2).pif:nhatau -> Spyware.Ipyn : Cleaned with backup C:\WINDOWS\_default(2)(2).pif:paijmh -> Spyware.SearchPage : Cleaned with backup C:\WINDOWS\_default(2)(2).pif:tdhbne -> Spyware.SearchPage : Cleaned with backup C:\WINDOWS\_default(2)(2).pif:ugqnyk -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default(2).pif:addgam -> Spyware.SearchPage : Cleaned with backup C:\WINDOWS\_default(2).pif:bthhd -> Spyware.Ipyn : Cleaned with backup C:\WINDOWS\_default(2).pif:kwxgt -> TrojanDownloader.Agent.jb : Cleaned with backup C:\WINDOWS\_default(2).pif:nhatau -> Spyware.Ipyn : Cleaned with backup C:\WINDOWS\_default(2).pif:paijmh -> Spyware.SearchPage : Cleaned with backup C:\WINDOWS\_default(2).pif:tdhbne -> Spyware.SearchPage : Cleaned with backup C:\WINDOWS\_default(2).pif:ugqnyk -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_MSRSTRT.EXE:euqdcj -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_MSRSTRT.EXE:srrfeg -> Spyware.SearchPage : Cleaned with backup C:\WINDOWS\_MSRSTRT.EXE:wvjjxt -> TrojanDownloader.Agent.bq : Cleaned with backup ::Report End Also Ad Aware found nothing when i did the scan, which is maybe a good thing after reading the problems people have had with running Zerospyware and Ad Aware together. Any suggestions for what i do about that and is everything fine now looking at the logs? (a lot to look at i know!) Many thanks |
|
|
|
|
07-14-2005, 01:00 PM
|
#6 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 60
OS: XP Pro
|
Hi,
Just quickly add a new hijackthis log taken after all the scans were done (i'm not sure about the trusted zone stuff, is that alright?). Hopefully this will be useful. Logfile of HijackThis v1.99.1 Scan saved at 20:57:26, on 14/07/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\WINDOWS\System32\BtUsrBdg.exe C:\WINDOWS\System32\BTSetBootKey.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Avant Browser\avant.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121104012062 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBM Software - C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Alias ImageStudio Render Queue (renderqueue) - Unknown owner - C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE thanks |
|
|
|
|
07-14-2005, 01:56 PM
|
#7 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Whereas files in System Volume Information are concerned, we can leave it for the moment. When we have fully disnfected you, we'll flush the that directory.
You still owe me a Panda scan result.  = = = = = = = = = = = Please download these additional files/programs. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. Do not run them unless instructed to do so. peek2.txt - Download & rename it to "peek2.bat" . Double-click on it & wait for notepad to open. Paste the contents in your next reply. DelO15Domains.inf - Right click & choose "Save As..." DelO15Domains.inf. Right click on DelO15Domains.inf and choose Install. It will run immediately * you won't be able to see anything happen Unplug your computer from the Internet when you have finished downloading = = = = = = = = = = = Run a HiJackThis scan. Select the following entries & click Fix checked : O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll = = = = = = = = = = = Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
= = = = = = = = = = = Reboot & "pay" me the Panda scan you owed... I also require a fresh HJT log & peek2.bat's results
__________________
|
|
|
|
|
07-15-2005, 12:38 AM
|
#8 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 60
OS: XP Pro
|
Hi,
Diid a Panda scan earlier along with all the other stuff but it found nothing so i didn't get to see a report. Did another scan though after downloading peek2 and the other stuff and heres the log Incident Status Location Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\msxct1.ini Adware:Adware/PowerScan No disinfected Windows Registry Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url Spyware:Spyware/Harnig No disinfected C:\WINDOWS\Downloaded Program Files\load.exe Adware:Adware/MediaTickets No disinfected Windows Registry Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\toolbar.exe Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Free Online Dating.url Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\**** Real Girls.url Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\XXX personal photos.url Adware:Adware/CWS.Searchmeup No disinfected C:\new.exe Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\$NtUninstallKB883939-IE6SP1-20050428.125228$\wininet.dll Adware:Adware/Mirar No disinfected C:\WINDOWS\Downloaded Program Files\MirarSetup.exe Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\msxct1.ini Adware:Adware/StartPage.WI No disinfected C:\WINDOWS\system32\backup.old Adware:Adware/StartPage.WI No disinfected C:\WINDOWS\system32\cassandra.exe Adware:Adware/Startpage.YR No disinfected C:\WINDOWS\system32\fjeobdaa.tmp Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\mnmrspl.exe Adware:Adware/SBSoft No disinfected C:\WINDOWS\system32\mnooi.dll And log for Peek2 regedit /e peek.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6E676F9-A28C-4EF0-B138-002AB9A56A24}" type peek.txt>>C:\look.txt del peek*.txt start /wait notepad C:\look.txt del c:\look.txt And the del015domains log ; DelDomains.inf ; Created by: Mike Burgess Microsoft MVP ; http://mvps.org/winhelp2002/ ; ; Warning: Deletes all entries in the Restricted & Trusted Zone list ; ; To execute this file: in Explorer - right-click (this file) ; Select Install from the Menu. [version] signature="$CHICAGO$" [DefaultInstall] DelReg=DelTemps AddReg=AddTemps [DelTemps] HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains" HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains" HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges" HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges" ; Recreate the keys to avoid a restart [AddTemps] HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains" HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains" HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges" HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges" And a new Hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 08:37:15, on 15/07/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\WINDOWS\System32\BtUsrBdg.exe C:\WINDOWS\System32\BTSetBootKey.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\Program Files\Avant Browser\avant.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\NOTEPAD.EXE C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121104012062 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D74D6144-A420-4CC0-97EC-9F10E668DB9D}: NameServer = 69.50.188.180 85.255.112.5 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBM Software - C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Alias ImageStudio Render Queue (renderqueue) - Unknown owner - C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE Also AVG Antivirus keeps popping up sying its finding stuff, i'll leave that for now until the rest is sorted thanks |
|
|
|
|
07-15-2005, 01:28 AM
|
#9 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
There's something wrong.
The logs you posted are incorrect. There wasn't supposed to be a log for DelO15domain. You were suppposed to right click on DelO15Domains.inf and choose Install. It will simply run w/o creating a log. The log you posted was merely the contents of the DelO15domain script. Pls re-do the step again. You also posted the wrong log for peek2.bat. You posted the contents of the script again. Please do this.. Enable the viewing of Hidden files 1. From Windows Explorer, go to Tools>Folder Options>View tab. 2. enable the option for `Show hidden files and folder´ 3. disable the option for `Hide file extensions for known types´ 4. disable the option for `Hide protected operating system files´ 5. click "Yes" to confirm & then click "OK" Take another look at peek2.bat. Is the name correct? is it peek2.bat or peek2.txt ? = = = = = = = = = = = Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox Tell me more about the AVG detections. Infection names & locations.. Click the dropdown-arrow next to the "Full Path of File to Delete" field. Verify that the filenames you pasted are found in there. Select/tick the following: * Replace on Reboot * Use Dummy * End Explorer Shell While Killing File * "Unregister.dll Before Deleting" * if it's not grayed out Click the RED X button. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the 'Pending Operations' prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. = = = = = = = = = = =
__________________
|
|
|
|
|
07-15-2005, 01:29 AM
|
#10 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
There's something wrong.
The logs you posted are incorrect. There wasn't supposed to be a log for DelO15domain. You were suppposed to right click on DelO15Domains.inf and choose Install. It will simply run w/o creating a log. The log you posted was merely the contents of the DelO15domain script. Pls re-do the step again. You also posted the wrong log for peek2.bat. You posted the contents of the script again. Please do this.. Enable the viewing of Hidden files 1. From Windows Explorer, go to Tools>Folder Options>View tab. 2. enable the option for `Show hidden files and folder´ 3. disable the option for `Hide file extensions for known types´ 4. disable the option for `Hide protected operating system files´ 5. click "Yes" to confirm & then click "OK" Take another look at peek2.bat. Is the name correct? is it peek2.bat or peek2.txt ? = = = = = = = = = = = Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox Tell me more about the AVG detections. Infection names & locations.. Click the dropdown-arrow next to the "Full Path of File to Delete" field. Verify that the filenames you pasted are found in there. Select/tick the following: * Replace on Reboot * Use Dummy * End Explorer Shell While Killing File * "Unregister.dll Before Deleting" * if it's not grayed out Click the RED X button. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the 'Pending Operations' prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. = = = = = = = = = = = Tell me more about the AVG detections..infection names & file locations
__________________
|
|
|
|
|
07-15-2005, 10:59 AM
|
#11 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 60
OS: XP Pro
|
Ran Del015domain and peek2 again but nothing happens, Del015domain installs but doesn't appear to display any files or logs and peek2.bat runs but nothing is displayed in the notepad.
Also i downloaded killbox but can't cut and paste file names into it and what am i supposed to press or does it delete the files automatically when i reboot? |
|
|
|
|
07-15-2005, 11:47 AM
|
#13 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 60
OS: XP Pro
|
Hi
Used killbox but it said that 'PendingFileRenameOperations registry data has been removed by external process' clicked ok and computer did'nt reboot. What does this mean? Also AVG seems to have stopped popping up all the time now, but it was complaining about a trojan. Will post details immediately if it pops up again Many thanks |
|
|
|
|
07-15-2005, 01:42 PM
|
#14 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 60
OS: XP Pro
|
Can u check my hijackthis log and confirm whether or not i'm in the clear.
Logfile of HijackThis v1.99.1 Scan saved at 21:41:51, on 15/07/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\WINDOWS\System32\BtUsrBdg.exe C:\WINDOWS\System32\BTSetBootKey.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\System32\RunDll32.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\Program Files\Avant Browser\avant.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121104012062 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D74D6144-A420-4CC0-97EC-9F10E668DB9D}: NameServer = 69.50.188.180 85.255.112.5 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBM Software - C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Alias ImageStudio Render Queue (renderqueue) - Unknown owner - C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE |
|
|
|
|
07-15-2005, 03:47 PM
|
#15 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Your log has been clean since the last 2 occasions you posted.
With KillBox, "'PendingFileRenameOperations registry data has been removed by external process' " means you have to reboot manually.  The peek2.bat is for extracting you registry key regarding ZeroSpyware. Since it's not working, I would like you to re-install ZeroSpyware over itself. Then reboot & try uninstalling it from Add/Remove Let me know how it goes.
__________________
|
|
|
|
|
07-16-2005, 08:13 AM
|
#16 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 60
OS: XP Pro
|
Hi,
I reinstalled zerospyware over itself then uninstalled it completely using control panel-add/remove programs. My hijackthis log is still clean its the same as the one i last posted, but i still get viruses showing up in AVG, Ewido and Panda Scan, which seem to be the same ones as before. Am currently doing a Panda scan and will post the log/report along with Hijackthis & Ewido when its done. |
|
|
|
|
07-16-2005, 08:30 AM
|
#17 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
If possible, let me know the names/locations of the viruses detected by Ewido/AVG.
I shall wait for the results from the Panda scan.
__________________
|
|
|
|
|
07-16-2005, 09:21 AM
|
#18 (permalink) |
|
Registered User
Join Date: Oct 2004
Posts: 60
OS: XP Pro
|
Hi,
The trojan AVG keeps warning about is path c:\windows\system32\rdsdin Trojan Horse Clicker FR. Ewido log is as follows: --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 15:20:15, 16/07/2005 + Report-Checksum: 6D4238C0 + Scan result: C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0057857.exe/UCMTSAIE.DLL -> Spyware.UCmore : Error during cleaning C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP93\A0057857.exe/IUCMORE.DLL -> Spyware.UCmore : Error during cleaning C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062104.exe -> Heuristic.Win32.Dialer : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062105.exe -> Spyware.PurityScan : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062106.ini:gwwyv -> TrojanDownloader.Agent.bc : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062107.exe -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062108.exe -> Trojan.Krepper.ak : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062109.exe -> TrojanDownloader.Agent.bq : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062110.INI:wbkmv -> TrojanDownloader.Agent.bq : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062111.INI:ikanpd -> TrojanDownloader.Agent.jb : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062112.INI:ikanpd -> TrojanDownloader.Agent.jb : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062113.INI:ikanpd -> TrojanDownloader.Agent.jb : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062114.INI:ikanpd -> TrojanDownloader.Agent.jb : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062115.ini:tltsjn -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062116.ini:tltsjn -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062117.ini:tltsjn -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062118.ini:zzaxx -> Spyware.Ipyn : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062119.ini:zzaxx -> Spyware.Ipyn : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062121.exe -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062122.exe -> Trojan.Pakes : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062125.exe -> TrojanDropper.Agent.mm : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062127.dll -> TrojanDownloader.Agent.bc : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062128.exe -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062136.exe -> TrojanDropper.Agent.mm : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062142.exe -> Trojan.LowZones.y : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062143.ini:nkyrr -> Spyware.Ipyn : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062143.ini:xnhmr -> TrojanDownloader.Agent.jb : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062144.pif:addgam -> Spyware.SearchPage : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062144.pif:bthhd -> Spyware.Ipyn : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062144.pif:kwxgt -> TrojanDownloader.Agent.jb : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062144.pif:nhatau -> Spyware.Ipyn : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062144.pif:paijmh -> Spyware.SearchPage : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062144.pif:tdhbne -> Spyware.SearchPage : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062144.pif:ugqnyk -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062145.pif:addgam -> Spyware.SearchPage : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062145.pif:bthhd -> Spyware.Ipyn : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062145.pif:kwxgt -> TrojanDownloader.Agent.jb : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062145.pif:nhatau -> Spyware.Ipyn : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062145.pif:paijmh -> Spyware.SearchPage : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062145.pif:tdhbne -> Spyware.SearchPage : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062145.pif:ugqnyk -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062146.EXE:euqdcj -> Trojan.Agent.bi : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062146.EXE:srrfeg -> Spyware.SearchPage : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062146.EXE:wvjjxt -> TrojanDownloader.Agent.bq : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062147.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062156.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP95\A0062168.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP96\A0062183.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP96\A0062203.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP96\A0062212.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP96\A0062226.exe -> TrojanDropper.Vidro.p : Cleaned with backup C:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP96\A0062241.exe -> TrojanDropper.Vidro.p : Cleaned with backup ::Report End Ewido still wants to delete a file(s) that windows says cannot be deleted without deleting the whole System Volume archive. The warning message is a follows: 'The file c:\System Volume Information\-restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}RP93\A0057857.exe\UCMTS AIE.DLL cannot be removed because it is embedded in the archive c:\System Volume Inormation\-restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}RP93\A0057857.exe. Dou (sic) you want to remove the whole archive?' Panda Active Scan log is as folows: Incident Status Location Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url Adware:adware/cws.searchmeup No disinfected C:\new.exe Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\msxct1.ini Spyware:spyware/petro-line No disinfected HKEY_CLASSES_ROOT\CLSID\{22A88341-AFCB-45F0-A856-C2BAE74F878E} Adware:adware/superspider No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\HPDED Adware:adware/powerscan No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST Adware:adware/mediatickets No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0\PPCIMDNNNJBEAHEPFABJIPFGINLOEDKG EGCKAK Spyware:spyware/wareout No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779} Adware:adware/sbsoft No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{08BEC6AA-49FC-4379-3587-4B21E286C19E} Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908} Adware:Adware/Mirar No disinfected C:\WINDOWS\Downloaded Program Files\MirarSetup.exe Adware:Adware/StartPage.WI No disinfected C:\WINDOWS\system32\backup.old Adware:Adware/StartPage.WI No disinfected C:\WINDOWS\system32\cassandra.exe Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\mnmrspl.exe Adware:Adware/SBSoft No disinfected C:\WINDOWS\system32\mnooi.dll Possible Virus. No disinfected C:\WINDOWS\system32\?hkdsk.exe And the Hijackthis log is as follows: Logfile of HijackThis v1.99.1 Scan saved at 16:42:13, on 16/07/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\WINDOWS\System32\BtUsrBdg.exe C:\WINDOWS\System32\BTSetBootKey.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\System32\rundll32.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\Program Files\Avant Browser\avant.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121104012062 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Alias ImageStudio Render Queue (renderqueue) - Unknown owner - C:\Program Files\Alias\Alias ImageStudio 2.1\bin\renderqueue.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE I did a hijackthis scan file Panda Active Scan was running and it found a nameserver file, but after panda scan was finished i ran another one and as you can see from the above log, its disappeared (but probably not gone). |
|
|
|
|
07-16-2005, 09:58 AM
|
#19 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Log is still clean. Glad to hear that ZeroSpyware isn't there anymore. Let me give you some freebies in return
I recommend that you get the following free programs:
Panda found some orphaned entries in your Registry. Whilst they may be harmless, we'll try to remove them I have attached a file to this post - regdel.txt - Downlaod & rename it to "regdel.reg" Double-click to run it & answer Yes when prompted to merge into the Registry Some files that was supposed to be removed has re-appeared in the Panda scan. Let's remove them from Safe Mode. = = = = = = = = = = = Reboot to Safe-Mode Restart the computer. The computer begins processing a set of instructions known as BIOS. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the 'Windows Advanced Options' menu appears. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode. = = = = = = = = = = = Enable the viewing of Hidden files 1. From Windows Explorer, go to Tools>Folder Options>View tab. 2. enable the option for `Show hidden files and folder´ 3. disable the option for `Hide file extensions for known types´ 4. disable the option for `Hide protected operating system files´ 5. click "Yes" to confirm & then click "OK" = = = Locate and delete the following file(s), if present:
= = = = = = = = = = = Run Cleanup! & configure the program up as follows:
= = = = = = = = = = = Let's do it differently this time. Come back in two days time with a fresh Panda report & HJT log Let's see if you can remain clean
__________________
|
|
|
|
| Thread Tools | |
|
|
