|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-19-2005, 02:32 AM
|
#1 (permalink) |
|
Registered User
Join Date: Feb 2005
Posts: 55
OS: xp
|
HJT Log Help!
Think its another spyware attack.
Here is the log...please advise. Thanks guys! Logfile of HijackThis v1.99.0 Scan saved at 5:32:05 AM, on 8/19/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RioMSC.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wwSecure.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\cidaemon.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\WINDOWS\system32\d3yu.exe C:\WINDOWS\system32\crol.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R3 - Default URLSearchHook is missing N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Andy\Application Data\Mozilla\Profiles\default\i1e1rrfu.slt\prefs.js) O2 - BHO: Class - {31680D7A-0465-9307-C513-D7B794F073C8} - C:\WINDOWS\system32\ipih.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [crol.exe] C:\WINDOWS\system32\crol.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_12_0.cab O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\d3yu.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing) O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Washer Security Access - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe |
|
     |
| Sponsored Links |
|
08-19-2005, 09:05 AM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,247
OS: N/A
|
Hello and Welcome to TSF!
Please subscribe to this thread to get immediate notification of fixes as soon as they are posted. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Start HijackThis & Go to Config> Misc Tools > Open ADS Spy
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Please download these additional files/programs. Do not run them untill instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. CleanUp!.exe - Install About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed. CWShredder.exe
I need you to update Ewido again. Please go to this website - http://www.ewido.net/en/download/updates/ Download the full updated database (Approximately 3600 KB) & install it unto your copy of Ewido. 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise. If there's anything that you don't understand, kindly ask your question(s) before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Next, please reboot your computer in SafeMode by doing the following: 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the first option, to run Windows in Safe Mode. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS Run a scan with HiJackThis & select/tick the following & click "Fix checked" : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fdeom.dll/sp.html#14044 (FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\system32\) R3 - Default URLSearchHook is missing O2 - BHO: Class - {31680D7A-0465-9307-C513-D7B794F073C8} - C:\WINDOWS\system32\ipih.dll O4 - HKLM\..\Run: [crol.exe] C:\WINDOWS\system32\crol.exe O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\d3yu.exe = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following:
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run CWShredder & click on Fix. Run About Buster and click - Begin Removal. Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Ewido with it's updated definitions:(...it's important that all windows must be closed) 1. Click Scanner 2. Click Complete System Scan to begin scanning. 3. Click OK when prompted to clean files 4. With the first file it prompts to clean, select the option: "Perform action on all infections" 5.Choose clean and click OK. 6. Once finished, click the Save report button 7. Save the report to your desktop ** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO NORMAL MODE Perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes.
* Turn off the real time scanner of any existing antivirus program while performing the online scan = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = In your next post, please include fresh logs from:
__________________
|
|
|
|
|
08-20-2005, 04:29 PM
|
#3 (permalink) |
|
Registered User
Join Date: Feb 2005
Posts: 55
OS: xp
|
Logfile of HijackThis v1.99.0
Scan saved at 7:25:03 PM, on 8/20/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RioMSC.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wwSecure.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Andy\My Documents\HijackThis.exe N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Andy\Application Data\Mozilla\Profiles\default\i1e1rrfu.slt\prefs.js) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_12_0.cab O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing) O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Washer Security Access - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe AboutBuster 5.0 reference file 28 Scan started on [7/25/2005] at [10:49:48 AM] ------------------------------------------------ Removed Stream! C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat:kiyhbw Removed Stream! C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat:rhgczm ------------------------------------------------ Removed File! : C:\Windows\System32\kytvu.dll ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 10:50:01 AM AboutBuster 5.0 reference file 28 Scan started on [7/25/2005] at [11:00:49 AM] ------------------------------------------------ No Ads Found! ------------------------------------------------ No Files Found! ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 11:01:04 AM AboutBuster 5.0 reference file 28 Scan started on [8/20/2005] at [6:05:17 PM] ------------------------------------------------ Removed Stream! C:\WINDOWS\Q816982.log:dyzbyw Removed Stream! C:\WINDOWS\Q817606.log:wykgsg ------------------------------------------------ Removed File! : C:\Windows\System32\fdeom.dll ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 6:05:31 PM /thanks much Subs\ you guys are awesome PS-could I learn how to do this? and then, join the tsf team? |
|
|
|
|
08-21-2005, 01:12 AM
|
#5 (permalink) |
|
Registered User
Join Date: Feb 2005
Posts: 55
OS: xp
|
Here you go Subs....with the kaspersky scan, does it automatically clean the files it found infected?
--------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 7:01:04 PM, 8/20/2005 + Report-Checksum: E46F6907 + Scan result: C:\WINDOWS\applz.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\ibz.exe -> TrojanDownloader.Tibs.a : Cleaned with backup C:\WINDOWS\SYSTEM32:jbaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup C:\WINDOWS\SYSTEM32\crol.exe -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\SYSTEM32\d3yu.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\SYSTEM32\dsktrf.dll -> Spyware.HotSearchBar : Cleaned with backup ::Report End ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Sunday, August 21, 2005 04:07:18 Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 21/08/2005 Kaspersky Anti-Virus database records: 136287 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 63141 Number of viruses found: 27 Number of infected objects: 149 Number of suspicious objects: 0 Duration of the scan process: 3725 sec Infected Object Name - Virus Name C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-1bfed374-3e5e47c4.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-1bfed374-3e5e47c4.zip/Counter.class Infected: Trojan.Java.ClassLoader.h C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-1bfed374-3e5e47c4.zip/Parser.class Infected: Trojan.Java.ClassLoader.d C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-1bfed374-3e5e47c4.zip Infected: Trojan.Java.ClassLoader.d C:\Documents and Settings\Andy\My Documents\crack.zip/run.exe Infected: Trojan-Downloader.Win32.Small.na C:\Documents and Settings\Andy\My Documents\crack.zip Infected: Trojan-Downloader.Win32.Small.na C:\Documents and Settings\Andy\My Documents\My Documents\crack.zip/run.exe Infected: Trojan-Downloader.Win32.Small.na C:\Documents and Settings\Andy\My Documents\My Documents\crack.zip Infected: Trojan-Downloader.Win32.Small.na C:\ms32.tmp Infected: Trojan-Downloader.Win32.Small.azk C:\Program Files\Norton AntiVirus\Quarantine\002E3FF3.class Infected: Trojan.Java.ClassLoader.f C:\Program Files\Norton AntiVirus\Quarantine\002E3FF3.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\002E3FF3.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\002E3FF3.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\002E3FF3.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\002E3FF3.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\003269F0.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\05373F2B.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\05F12E80.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\05F12E80.htm Infected: Exploit.VBS.Phel.a C:\Program Files\Norton AntiVirus\Quarantine\05F12E80.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\05F12E80.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\05F12E80.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\05F12E80.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\05F12E80.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\14545725.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\173A23BE.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\1BC27227.exe Infected: Trojan.Win32.StartPage.nk C:\Program Files\Norton AntiVirus\Quarantine\1BC9461F.exe Infected: Trojan.Win32.StartPage.nk C:\Program Files\Norton AntiVirus\Quarantine\1C0D1322.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\243353E3 Infected: Trojan-Dropper.Win32.Delf.z C:\Program Files\Norton AntiVirus\Quarantine\245841BA.com Infected: Trojan-Downloader.Win32.Delf.ks C:\Program Files\Norton AntiVirus\Quarantine\245B6BB6.exe Infected: Trojan-Downloader.Win32.Delf.ks C:\Program Files\Norton AntiVirus\Quarantine\245E15B2.com Infected: Trojan-Downloader.Win32.Delf.ks C:\Program Files\Norton AntiVirus\Quarantine\245E15B2.zip/a.class Infected: Trojan.Java.ClassLoader.b C:\Program Files\Norton AntiVirus\Quarantine\245E15B2.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\245E15B2.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.u C:\Program Files\Norton AntiVirus\Quarantine\245E15B2.zip Infected: Trojan.Java.ClassLoader.u C:\Program Files\Norton AntiVirus\Quarantine\26811F80.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\280757C0.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\280757C0.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\280757C0.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\280757C0.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\280757C0.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\2C2C68F8.htm Infected: Exploit.VBS.Phel.a C:\Program Files\Norton AntiVirus\Quarantine\2C2F12F4.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\2C2F12F4.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\2C2F12F4.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\2C2F12F4.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\2C2F12F4.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\2C323CF1.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\2C3666ED.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\2C6B5539.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\2C6B5539.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\2C6B5539.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\2C6B5539.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\2C6B5539.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\2C6B5539.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\2E8C458C.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\306724DA.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\306724DA.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\306724DA.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\306724DA.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\306724DA.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\306724DA.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\33C32971.gif Infected: Exploit.HTML.Mht C:\Program Files\Norton AntiVirus\Quarantine\33C32971.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\33C32971.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\33C32971.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\33C32971.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\33C32971.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\34210C31.exe Infected: Trojan.Win32.StartPage.nk C:\Program Files\Norton AntiVirus\Quarantine\3BC549C8.dat Infected: Trojan.Win32.StartPage.nk C:\Program Files\Norton AntiVirus\Quarantine\3C204F2F.zip/BlackBox.class Infected: Exploit.Java.ByteVerify C:\Program Files\Norton AntiVirus\Quarantine\3C204F2F.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify C:\Program Files\Norton AntiVirus\Quarantine\3C204F2F.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa C:\Program Files\Norton AntiVirus\Quarantine\3C204F2F.zip Infected: Trojan-Downloader.Java.OpenConnection.aa C:\Program Files\Norton AntiVirus\Quarantine\3C9C1CDB.exe Infected: Trojan.Win32.StartPage.nk C:\Program Files\Norton AntiVirus\Quarantine\3E301488.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\497F0268.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\4C3C36C7.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\4D256887.CHM/exploit.htm Infected: Trojan-Downloader.VBS.Psyme.ac C:\Program Files\Norton AntiVirus\Quarantine\4D256887.CHM Infected: Trojan-Downloader.VBS.Psyme.ac C:\Program Files\Norton AntiVirus\Quarantine\4D256887.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\4D256887.htm Infected: Exploit.HTML.Mht C:\Program Files\Norton AntiVirus\Quarantine\4D256887.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\4D256887.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\4D256887.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\4D256887.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\4D256887.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\4D363A76.htm Infected: Exploit.VBS.Phel.a C:\Program Files\Norton AntiVirus\Quarantine\4FEA6DDA.chm/index.htm Infected: Trojan-Downloader.VBS.Psyme.ac C:\Program Files\Norton AntiVirus\Quarantine\4FEA6DDA.chm Infected: Trojan-Downloader.VBS.Psyme.ac C:\Program Files\Norton AntiVirus\Quarantine\4FEA6DDA.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\4FEA6DDA.htm Infected: Exploit.VBS.Phel.a C:\Program Files\Norton AntiVirus\Quarantine\517245BF.class Infected: Trojan.Java.ClassLoader.Dummy.d C:\Program Files\Norton AntiVirus\Quarantine\535A2AD0.class Infected: Trojan.Java.ClassLoader.Dummy.d C:\Program Files\Norton AntiVirus\Quarantine\53B16D35.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\55B65F4F.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\56B37466.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\5BE734DC.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\610C6430.class Infected: Trojan.Java.ClassLoader.f C:\Program Files\Norton AntiVirus\Quarantine\610C6430.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\610C6430.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\610C6430.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\610C6430.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\610C6430.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\68B8795E.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\6A057901.htm Infected: Exploit.HTML.Mht C:\Program Files\Norton AntiVirus\Quarantine\6E0136F2.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\71182576.chm/1/e.exe Infected: Trojan-Dropper.Win32.Agent.ge C:\Program Files\Norton AntiVirus\Quarantine\71182576.chm/2/l.html Infected: Trojan-Downloader.JS.Small.v C:\Program Files\Norton AntiVirus\Quarantine\71182576.chm Infected: Trojan-Downloader.JS.Small.v C:\Program Files\Norton AntiVirus\Quarantine\71182576.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\71182576.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\71182576.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\71182576.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\71182576.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\77A12FAA.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\77A12FAA.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\77A12FAA.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\77A12FAA.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\77A12FAA.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\790154C2.htm Infected: Exploit.VBS.Phel.a C:\Program Files\Norton AntiVirus\Quarantine\790728BB.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\790728BB.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify C:\Program Files\Norton AntiVirus\Quarantine\790728BB.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\790728BB.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\790728BB.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Program Files\Norton AntiVirus\Quarantine\790A52B7.class Infected: Trojan.Java.ClassLoader.c C:\Program Files\Norton AntiVirus\Quarantine\790E7CB3.class Infected: Trojan.Java.ClassLoader.Dummy.a C:\Program Files\Norton AntiVirus\Quarantine\791126B0.class Infected: Exploit.Java.Bytverify C:\WINDOWS\DELL.BMP:xpeolw:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\WINDOWS\DirectX.log:hpxunz:$DATA Infected: Trojan.Win32.Agent.bi C:\WINDOWS\KB828035.log:vowsng:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\WINDOWS\KB833987.log:pmhzk:$DATA Infected: Trojan-Downloader.Win32.Agent.bq C:\WINDOWS\KB835732.log:opgxpi:$DATA Infected: Trojan.Win32.Agent.bi C:\WINDOWS\KB842773.log:fisgs:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\WINDOWS\oiklv.dat:picmng:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\WINDOWS\orun32.isu:hjvzpq:$DATA Infected: Trojan.Win32.Agent.bi C:\WINDOWS\Q329441.log:fbafjc:$DATA Infected: Trojan-Downloader.Win32.Small.Agent.bq C:\WINDOWS\Q810577.log:qvlxfw:$DATA Infected: Trojan-Downloader.Win32.Small.Agent.bq C:\WINDOWS\Q811630.log:sosela:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\WINDOWS\Q813862.log:kpdsfk:$DATA Infected: Trojan.Win32.Agent.bi C:\WINDOWS\Q816486.log:cztyhd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc C:\WINDOWS\Q816982.log:uzeejf:$DATA Infected: Trojan.Win32.Agent.bi C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat:emzypm:$DATA Infected: Trojan-Downloader.Win32.Agent.bq C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat:lmhlmc:$DATA Infected: Trojan.Win32.Agent.bi C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat:rfmns:$DATA Infected: Trojan-Downloader.Win32.Small.Agent.bq C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat:wggolz:$DATA Infected: Trojan-Downloader.Win32.Small.Agent.bq Scan process completed. Thanks again! |
|
|
|
|
08-21-2005, 01:38 AM
|
#6 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,247
OS: N/A
|
Kaspersky's online scan does not disinfects the files it found.
Please empty Norton's quarantine folder. Clear Java Cache
Follow the instructions outlined here to clear Sun Java's cache. Get an archiving utility like WinZip. Zip up the following files: C:\WINDOWS\DELL.BMP C:\WINDOWS\DirectX.log C:\WINDOWS\KB828035.log C:\WINDOWS\KB833987.log C:\WINDOWS\KB835732.log C:\WINDOWS\KB842773.log C:\WINDOWS\Q329441.log C:\WINDOWS\Q810577.log C:\WINDOWS\Q811630.log C:\WINDOWS\Q813862.log C:\WINDOWS\Q816486.log C:\WINDOWS\Q816982.log C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat After you have zipped them up, delete the original files. Restore the deleted files from the zipped archive. This will remove the malicious streams from the infected files. Locate & delete these files: C:\Documents and Settings\Andy\My Documents\crack.zip C:\ms32.tmp C:\WINDOWS\oiklv.dat C:\WINDOWS\orun32.isu Run CleanUp! once more Repeat the Kaspersky scan to check if any files is still infected.
__________________
|
|
|
|
|
08-23-2005, 07:41 PM
|
#8 (permalink) |
|
Analyst, Security Team
|
Yes, run another scan just to be safe.
Also give us a new HijackThis log.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
08-27-2005, 08:27 PM
|
#9 (permalink) |
|
Registered User
Join Date: Feb 2005
Posts: 55
OS: xp
|
Hi grey....long time.
Hope all is splendid and well. (Think there might be a new infection) Well, here goes my new log: Logfile of HijackThis v1.99.0 Scan saved at 11:25:54 PM, on 8/27/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RioMSC.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Andy\My Documents\HijackThis.exe N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Andy\Application Data\Mozilla\Profiles\default\i1e1rrfu.slt\prefs.js) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: OSA.exe O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_12_0.cab O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing) O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe |
|
|
|
|
08-28-2005, 02:15 AM
|
#10 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,965
OS: Windows XP-Pro SP2
  |
Run hijackthis and fix this entry...
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) Then run another KASPERSKY scan and post it's log along with another hijackthis log.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
08-31-2005, 08:26 PM
|
#11 (permalink) |
|
Registered User
Join Date: Feb 2005
Posts: 55
OS: xp
|
Hi Microbell!
I got re-infected....this one is vicious....here's a HJT log. Please help~ Sincerely, Ando Logfile of HijackThis v1.99.0 Scan saved at 11:25:22 PM, on 8/31/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\WINDOWS\system32\javaln.exe C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RioMSC.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\cidaemon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\syssy.exe C:\Program Files\AIM\aim.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Netscape\Netscape\Netscp.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\Explorer.EXE C:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R3 - Default URLSearchHook is missing N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Andy\Application Data\Mozilla\Profiles\default\i1e1rrfu.slt\prefs.js) O2 - BHO: Class - {B2D696D0-91BB-1E7F-44BB-A44FB1038DDF} - C:\WINDOWS\sdkjw.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [nthf.exe] C:\WINDOWS\nthf.exe O4 - HKLM\..\Run: [syssy.exe] C:\WINDOWS\syssy.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_12_0.cab O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\javaln.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing) O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe Everytime I open up a application (Browser, windows explorer, I get notified of a virus infection alert....bloodhound something something....) please let me know what to do.... thanks again! |
|
|
|
|
08-31-2005, 08:40 PM
|
#12 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,247
OS: N/A
|
How did you get re-infected so soon? You have to do the whole fix again
Download DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards. Reboot your computer in SafeMode :
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Click Start->Run - type SERVICES.MSC & then click on the OK button
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS Run a scan with HiJackThis & select/tick the following & click "Fix checked" : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 (FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm) R3 - Default URLSearchHook is missing O2 - BHO: Class - {B2D696D0-91BB-1E7F-44BB-A44FB1038DDF} - C:\WINDOWS\sdkjw.dll O4 - HKLM\..\Run: [nthf.exe] C:\WINDOWS\nthf.exe O4 - HKLM\..\Run: [syssy.exe] C:\WINDOWS\syssy.exe O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\javaln.exe = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Start HijackThis & Go to Config> Misc Tools > Open ADS Spy
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following:
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run CWShredder & click on Fix. Run About Buster and click - Begin Removal. Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO NORMAL MODE Perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes.
* Turn off the real time scanner of any existing antivirus program while performing the online scan = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = In your next post, please include fresh logs from:
__________________
|
|
|
|
|
09-01-2005, 02:33 PM
|
#13 (permalink) |
|
Registered User
Join Date: Feb 2005
Posts: 55
OS: xp
|
Hey Subs.
I don't know how it got reinfected so soon. But I tried following your directions and when I restarted my PC.....my Nortons automatically informed me I had a bloodhound virus infection. I don't know what else to do for I am terrified of even turning on my computer now. I have tried doing the cleaning in safe mode twice already.... Usually, after the Ewido scan..on top of the cleanup....hsregfix.....aboutbuster....cwshredder.....everything seems to be okay....but this time, it seems like this virus is more calculating or something. Please help, I am on a public computer right now......when I load up my home PC, it takes a minute for windows to load up seems that its re-booting the cirus everytime i reboot my computer no matter how much i try to fix it. Looking forward to your guys advice. Ando |
|
|
|
|
09-01-2005, 08:44 PM
|
#15 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,247
OS: N/A
|
Don't worry about the computer. Go back to it & post fresh logs from:
1. HiJackThis 2. Online scan 3. About Buster 4. Ewido We'll see you thru this.. 
__________________
|
|
|
|
|
09-02-2005, 12:31 PM
|
#16 (permalink) |
|
Registered User
Join Date: Feb 2005
Posts: 55
OS: xp
|
Hey Subs,
Thanks....Im just freaking out a little. Here are the logs and scans ( I dont have time to do the kapersky scan yet....I have to work till midnight tonight, but will do the scan then) Heres what I have for now....also the kapersky scan looks like it got stuck at 2%......just the timer on the thing is counting nothing else seems to be moving.....) Also, my background is black and a PSgurad icon and program was installed on my desktop i cant get rid of it....i think its virus related./.. HJT Logfile of HijackThis v1.99.0 Scan saved at 3:31:24 PM, on 9/2/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RioMSC.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\cidaemon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AIM\aim.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\Explorer.EXE C:\HijackThis.exe N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Andy\Application Data\Mozilla\Profiles\default\i1e1rrfu.slt\prefs.js) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_12_0.cab O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing) O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe About AboutBuster 5.0 reference file 28 Scan started on [7/25/2005] at [10:49:48 AM] ------------------------------------------------ Removed Stream! C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat:kiyhbw Removed Stream! C:\WINDOWS\{B6656B57-15D6-4E8F-AFAD-58AA2E3486CF}.dat:rhgczm ------------------------------------------------ Removed File! : C:\Windows\System32\kytvu.dll ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 10:50:01 AM AboutBuster 5.0 reference file 28 Scan started on [7/25/2005] at [11:00:49 AM] ------------------------------------------------ No Ads Found! ------------------------------------------------ No Files Found! ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 11:01:04 AM AboutBuster 5.0 reference file 28 Scan started on [8/20/2005] at [6:05:17 PM] ------------------------------------------------ Removed Stream! C:\WINDOWS\Q816982.log:dyzbyw Removed Stream! C:\WINDOWS\Q817606.log:wykgsg ------------------------------------------------ Removed File! : C:\Windows\System32\fdeom.dll ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 6:05:31 PM AboutBuster 5.0 reference file 28 Scan started on [8/31/2005] at [3:11:22 PM] ------------------------------------------------ Removed Stream! C:\WINDOWS\Greenstone.bmp:skblqn Removed Stream! C:\WINDOWS\imsins.BAK:klmykq ------------------------------------------------ Removed File! : C:\Windows\System32\fhaww.dll Removed File! : C:\Windows\System32\hlmzk.dll ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 3:11:36 PM AboutBuster 5.0 reference file 28 Scan started on [9/1/2005] at [4:50:11 AM] ------------------------------------------------ No Ads Found! ------------------------------------------------ Removed File! : C:\Windows\System32\fhaww.dll ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 4:50:25 AM AboutBuster 5.0 reference file 31 Scan started on [9/2/2005] at [3:25:39 PM] ------------------------------------------------ No Ads Found! ------------------------------------------------ Removed File! : C:\Windows\oiklv.dat Removed File! : C:\Windows\xkpae.dat Removed File! : C:\Windows\System32\ckirj.dat Removed File! : C:\Windows\System32\ddeem.dat Removed File! : C:\Windows\System32\lpztz.dat ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 3:26:19 PM Ewido --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 10:34:26 AM, 8/31/2005 + Report-Checksum: C61E039A + Scan result: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OSA.exe -> TrojanDownloader.Delf.ks : Cleaned with backup :mozilla.13:C:\Documents and Settings\Andy\Application Data\Mozilla\Profiles\default\i1e1rrfu.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@cityclub.gamingpromo[2].txt -> Spyware.Cookie.Gamingpromo : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@cz11.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@cz5.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@cz6.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@cz9.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@e-2dj6wfkockcpmhp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@gamingpromo[1].txt -> Spyware.Cookie.Gamingpromo : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup C:\Documents and Settings\Andy\Cookies\andy@vip.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\WINDOWS\notepad.com -> TrojanDownloader.Delf.ks : Cleaned with backup C:\WINDOWS\SYSTEM32\notepad.com -> TrojanDownloader.Delf.ks : Cleaned with backup C:\WINDOWS\SYSTEM32\svcnt32.exe -> TrojanDownloader.Delf.ks : Cleaned with backup ::Report End |
|
|
|
|
09-02-2005, 12:40 PM
|
#17 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,247
OS: N/A
|
Is someone else using your PC while you're at work?
PSGuard is a new infection. You'll need to download smitRem.exe - extract it to it's own folder. Reboot to Safe Mode Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present. Reboot back to Normal Mode Perform an online scan with Internet Explorer with Panda ActiveScan
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. *Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post, please include fresh copies of:
__________________
|
|
|
|
|
09-02-2005, 09:59 PM
|
#18 (permalink) |
|
Registered User
Join Date: Feb 2005
Posts: 55
OS: xp
|
Subs,
Thank you very much for your reassurance. I dont think anyone is using my pc while I am at work. Well here are the scans and logs. Please advise further. Logfile of HijackThis v1.99.0 Scan saved at 12:56:30 AM, on 9/3/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RioMSC.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AIM\aim.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\cidaemon.exe C:\WINDOWS\Explorer.EXE C:\HijackThis.exe N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Andy\Application Data\Mozilla\Profiles\default\i1e1rrfu.slt\prefs.js) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_12_0.cab O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing) O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe Online scan Incident Status Location Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\ANDY\FAVORITES\SITES ABOUT\Ab scissor.url Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp Adware:adware/searchaid No disinfected C:\DOCUMENTS AND SETTINGS\ANDY\FAVORITES\Only sex website.url Adware:adware/superspider No disinfected C:\WINDOWS\dlm.html Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys Adware:adware/startpage.ccm No disinfected C:\WINDOWS\win32.dat Adware:adware/myway No disinfected C:\PROGRAM FILES\MyWay Adware:adware/ilookup No disinfected C:\WINDOWS\SYSTEM32\cache32_dsktptr Spyware:spyware/new.net No disinfected Windows Registry Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-1bfed374-3e5e47c4.zip[Matrix.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-1bfed374-3e5e47c4.zip[Counter.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-1bfed374-3e5e47c4.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-1bfed374-3e5e47c4.zip[Parser.class] smitRem log file version 2.3 by noahdfear The current date is: Sat 09/03/2005 The current time is: 0:23:20.87 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ShudderLTD key present! Running LTDFix! ShudderLTD key was successfully removed! :) Pre-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ PSGuard spyware remover PSGuard spyware remover.lnk quick launch PSGuard spyware remover.lnk ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Post-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Wininet.dll ~~~ wininet.dll INFECTED!! :( Starting replacement procedure. ~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~ ~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~ ~~~~ Checking dllcache\wininet.dll for infection ~~~~ ~~~~ dllcache\wininet.dll Clean! ~~~~ ~~~ Replaced wininet.dll from dllcache ~~~ ~~~ Upon reboot ~~~ wininet.old present! oleadm.dll not present! oleext.dll not present! ~~~ Upon completion ~~~ wininet.old not present! oleadm.dll not present! oleext.dll not present! ~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~ ~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~ |
|
|
|
|
09-03-2005, 01:08 AM
|
#20 (permalink) | ||
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,247
OS: N/A
|
Download these files/programs & save to Desktop :
KillBox v2.0.0.175.zip Host.zip Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host SpywareBlaster 3.4 Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise. If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab.
Locate and delete the following folders, if present:
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following:
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Launch KillBox.exe & select the following options:
* Click on the dropdown menu next to Full Path of File to Delete field. * Verify that the filenames you pasted are found there * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. Quote:
Please post a fresh HJT log after you have rebooted
__________________
|
||
|
|
|
| Thread Tools | |
|
|
