Many Viruses - Please Help

**BobRiff** · 11-23-2005, 06:24 AM

HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 8:14:56 AM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Documents and Settings\PaulF\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://businessonline.motorola.com/...l=/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093619948380
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131719009848
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O17 - HKLM\Software\..\Telephony: DomainName = AndersonRadio.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

Kaspersky Log
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 23, 2005 07:09:01
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 22/11/2005
Kaspersky Anti-Virus database records: 151337
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\$VAULT$.AVG\
C:\4nec2\
C:\adi\
C:\Andrew\
C:\AntennaSolver\
C:\ANTWIND\
C:\arc\
C:\backup\
C:\brmdf\
C:\Cadd6\
C:\caddin\
C:\Caddout\
C:\Caddprnt\
C:\CPS\
C:\CS Data\
C:\cygwin\
C:\DIRPAT\
C:\DOCS\
C:\Documents and Settings\
C:\Inetpub\
C:\MDF\
C:\MDS\
C:\Mike's Computer Stuff\
C:\MOBILE DATA\
C:\Mobile DB Data Bases\
C:\Motorola Canopy\
C:\motorola flash\
C:\MRSS\
C:\MXTOOLS\
C:\My Download Files\
C:\My Downloads\
C:\NEC\
C:\nist\
C:\NTS Data\
C:\ORS\
C:\PalmDL\
C:\paulfbackup\
C:\PCMCIA MDC CARD\
C:\PMAIL\
C:\pmdc save\
C:\printgl\
C:\Pro sites\
C:\Program Files\
C:\PROGRAMF\
C:\PROWIN3\
C:\putty\
C:\RADIOMAX\
C:\radios\
C:\RECYCLER\
C:\sav\
C:\Save 2\
C:\SCGWDEMO\
C:\Scholer-Johnson\
C:\Sites\
C:\Synex\
C:\SYSKEY\
C:\System Volume Information\
C:\temp\
C:\TFTP-Root\
C:\Toshiba\
C:\TRN\
C:\WINDOWS\
C:\winrss\
C:\WINSJIPP\

Scan Statistics:
Total number of scanned objects: 86619
Number of viruses found: 13
Number of infected objects: 32
Number of suspicious objects: 1
Duration of the scan process: 15812 sec

Infected Object Name - Virus Name
C:\brmdf\cracksearcher (Works Great).zip/CrackSearcher.exe Infected: HackTool.Win32.CrackSearch.a
C:\brmdf\cracksearcher (Works Great).zip Infected: HackTool.Win32.CrackSearch.a
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4e92308d-3182be77.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-16650209.zip/b.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-16650209.zip/c.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-16650209.zip/d.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-16650209.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-2325c9bc.zip/b.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-2325c9bc.zip/c.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-2325c9bc.zip/d.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-2325c9bc.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-138006ad-376e85c8.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-138006ad-376e85c8.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-138006ad-376e85c8.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-138006ad-376e85c8.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-330ed794-41c83d18.zip/web.exe Infected: Trojan-Downloader.Win32.Small.bkg
C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-330ed794-41c83d18.zip Infected: Trojan-Downloader.Win32.Small.bkg
C:\Documents and Settings\PaulF\Local Settings\Temporary Internet Files\Content.IE5\QFCDILUZ\deliver46860[1].html Suspicious: Exploit.HTML.Mht
C:\My Download Files\Incomplete\T-872159-Advanced Registry Doctor Pro 5.3.6.15.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\My Download Files\Incomplete\T-872159-Advanced Registry Doctor Pro 5.3.6.15.zip Infected: Worm.Win32.VB.an
C:\My Download Files\zdnet\eMulePlus-1.1.Installer.exe/stream/data0006 Infected: Trojan.Win32.Qrap
C:\My Download Files\zdnet\eMulePlus-1.1.Installer.exe/stream Infected: Trojan.Win32.Qrap
C:\My Download Files\zdnet\eMulePlus-1.1.Installer.exe Infected: Trojan.Win32.Qrap
C:\PalmDL\Palm SDK\crack_170077.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\PalmDL\Palm SDK\crack_170077.exe Infected: Trojan-Downloader.Win32.INService.ja
C:\PalmDL\Palm SDK\handmap 4.7.4-keygen-icu crack_216153.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\PalmDL\Palm SDK\handmap 4.7.4-keygen-icu crack_216153.exe Infected: Trojan-Downloader.Win32.INService.ja
C:\PalmDL\Palm SDK\handmap pro crack_137746.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\PalmDL\Palm SDK\handmap pro crack_137746.exe Infected: Trojan-Downloader.Win32.INService.ja
C:\System Volume Information\_restore{87426783-37B6-45D9-B169-8B6A8716E4B6}\RP8\A0008549.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{87426783-37B6-45D9-B169-8B6A8716E4B6}\RP8\A0008550.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{87426783-37B6-45D9-B169-8B6A8716E4B6}\RP9\A0008773.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{87426783-37B6-45D9-B169-8B6A8716E4B6}\RP9\A0008774.exe Infected: Trojan.Win32.Crypt.t

Scan process completed.

sUBs · 11-23-2005, 11:11 AM

Have HijackThis fix these:

R3 - Default URLSearchHook is missing
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?

Locate & delete these files:

C:\brmdf\cracksearcher (Works Great).zip
C:\My Download Files\Incomplete\T-872159-Advanced Registry Doctor Pro 5.3.6.15.zip
C:\My Download Files\zdnet\eMulePlus-1.1.Installer.exe
C:\PalmDL\Palm SDK\crack_170077.exe
C:\PalmDL\Palm SDK\handmap 4.7.4-keygen-icu crack_216153.exe

Clear your Java Cache

Click Start >Settings>Control Panel
Click the Java Plugin Icon
Click the Cache tab
Click the Clear button and click OK to confirm

Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

Follow the instructions outlined here to clear Sun Java's cache.

Download and install CleanUp!

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

Tick on the checkbox - Turn off System Restore on all drives
Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply along with a new log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

**BobRiff** · 11-23-2005, 02:03 PM

Activescan log:

Incident Status Location

Virus:Trj/Clicker.IE Not disinfected C:\My Download Files\zdnet\BitTorrent-Absolute-Downloader-no.2.8.exe[ngpw36.exe]
Virus:Trj/Clicker.IE Not disinfected C:\My Download Files\zdnet\BitTorrent-Absolute-Downloader-no.2.8.exe[Sngpw36.exe]
Adware:Adware/Adblaster Not disinfected C:\My Download Files\zdnet\BitTorrent-Absolute-Downloader-no.2.8.exe[ADPROT.EXE]
Virus:Trj/Clicker.IE Not disinfected C:\My Download Files\zdnet\crazaa.exe[ngpw36.exe]
Virus:Trj/Clicker.IE Not disinfected C:\My Download Files\zdnet\crazaa.exe[Sngpw36.exe]
Adware:Adware/Adblaster Not disinfected C:\My Download Files\zdnet\crazaa.exe[ADPROT.EXE]
Virus:Trj/Seeker.BC Not disinfected C:\My Download Files\zdnet\pwlhck32.zip[CyberNet.reg]
Adware:Adware/Trymedia Not disinfected C:\PalmDL\GFP\HongKong_Mahjong-dm.exe
Adware:Adware/WUpd Not disinfected C:\PalmDL\HANDMAP-On-Ms\get_31993_HandMap.v4.7.4.PalmOS_crack.html
Adware:Adware/IST.ISTBar Not disinfected C:\PalmDL\Palm SDK\handmap pro crack_137746.exe
Possible Virus. Not disinfected C:\paulfbackup\Rs\Slurp\SLURP.ZIP[SLURP.EXE]
Possible Virus. Not disinfected C:\sav\sav.zip[SLURP.EXE]
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\alchem.ini
Adware:Adware/Imibar Not disinfected C:\WINDOWS\systb.dll
Adware:adware/wupd Not disinfected C:\WINDOWS\system32\ide21201.vxd Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 4:02:45 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\PaulF\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://businessonline.motorola.com/...l=/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093619948380
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131719009848
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O17 - HKLM\Software\..\Telephony: DomainName = AndersonRadio.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

sUBs · 11-23-2005, 02:10 PM

Download & launch KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Select the following option - delete on Reboot
Use your mouse to select all the filenames listed below & then right-click & select Copy

C:\My Download Files\zdnet\BitTorrent-Absolute-Downloader-no.2.8.exe
C:\My Download Files\zdnet\crazaa.exe
C:\My Download Files\zdnet\pwlhck32.zip
C:\PalmDL\GFP\HongKong_Mahjong-dm.exe
C:\PalmDL\HANDMAP-On-Ms\get_31993_HandMap.v4.7.4.PalmOS_crack.html
C:\PalmDL\Palm SDK\handmap pro crack_137746.exe
C:\paulfbackup\Rs\Slurp\SLURP.ZIP
C:\sav\sav.zip
C:\WINDOWS\alchem.ini
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\ide21201.vxd

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

Post a new HJT log after you have rebooted & let me know how your machine is behaving now.

**BobRiff** · 11-28-2005, 10:26 AM

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:22:47 PM, on 11/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\PaulF\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

https://businessonline.motorola.com/...l=/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.co...te.cab?1093619

948380
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsof....cab?113171900

9848
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O17 - HKLM\Software\..\Telephony: DomainName = AndersonRadio.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = AndersonRadio.local
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. -

C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program

Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation -

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe"

/Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe"

/Service (file missing)

sUBs · 11-28-2005, 10:34 AM

Your log suggest that you're clean.

Do you still have any more issues with your machine?

If not, you should be set to go.

** Please respond to this thread one more time so we can mark this thread as resolved.

**BobRiff** · 11-28-2005, 01:06 PM

Checked it again with Panda Online - Looks clean.

Thanks for your help.

11-23-2005, 06:24 AM	#1 (permalink)
BobRiff I helped the forums. Join Date: Jul 2005 Posts: 29 OS: XP	Many Viruses - Please Help HJT Log Logfile of HijackThis v1.99.1 Scan saved at 8:14:56 AM, on 11/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe C:\Documents and Settings\PaulF\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://businessonline.motorola.com/...l=/default.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab? O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093619948380 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131719009848 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AndersonRadio.local O17 - HKLM\Software\..\Telephony: DomainName = AndersonRadio.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AndersonRadio.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AndersonRadio.local O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = AndersonRadio.local O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing) Kaspersky Log ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, November 23, 2005 07:09:01 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 22/11/2005 Kaspersky Anti-Virus database records: 151337 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - Folders: C:\$VAULT$.AVG\ C:\4nec2\ C:\adi\ C:\Andrew\ C:\AntennaSolver\ C:\ANTWIND\ C:\arc\ C:\backup\ C:\brmdf\ C:\Cadd6\ C:\caddin\ C:\Caddout\ C:\Caddprnt\ C:\CPS\ C:\CS Data\ C:\cygwin\ C:\DIRPAT\ C:\DOCS\ C:\Documents and Settings\ C:\Inetpub\ C:\MDF\ C:\MDS\ C:\Mike's Computer Stuff\ C:\MOBILE DATA\ C:\Mobile DB Data Bases\ C:\Motorola Canopy\ C:\motorola flash\ C:\MRSS\ C:\MXTOOLS\ C:\My Download Files\ C:\My Downloads\ C:\NEC\ C:\nist\ C:\NTS Data\ C:\ORS\ C:\PalmDL\ C:\paulfbackup\ C:\PCMCIA MDC CARD\ C:\PMAIL\ C:\pmdc save\ C:\printgl\ C:\Pro sites\ C:\Program Files\ C:\PROGRAMF\ C:\PROWIN3\ C:\putty\ C:\RADIOMAX\ C:\radios\ C:\RECYCLER\ C:\sav\ C:\Save 2\ C:\SCGWDEMO\ C:\Scholer-Johnson\ C:\Sites\ C:\Synex\ C:\SYSKEY\ C:\System Volume Information\ C:\temp\ C:\TFTP-Root\ C:\Toshiba\ C:\TRN\ C:\WINDOWS\ C:\winrss\ C:\WINSJIPP\ Scan Statistics: Total number of scanned objects: 86619 Number of viruses found: 13 Number of infected objects: 32 Number of suspicious objects: 1 Duration of the scan process: 15812 sec Infected Object Name - Virus Name C:\brmdf\cracksearcher (Works Great).zip/CrackSearcher.exe Infected: HackTool.Win32.CrackSearch.a C:\brmdf\cracksearcher (Works Great).zip Infected: HackTool.Win32.CrackSearch.a C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4e92308d-3182be77.class Infected: Trojan.Java.ClassLoader.Dummy.d C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-16650209.zip/b.class Infected: Trojan.Java.ClassLoader.c C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-16650209.zip/c.class Infected: Exploit.Java.Bytverify C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-16650209.zip/d.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-16650209.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-2325c9bc.zip/b.class Infected: Trojan.Java.ClassLoader.c C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-2325c9bc.zip/c.class Infected: Exploit.Java.Bytverify C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-2325c9bc.zip/d.class Infected: Trojan-Downloader.Java.OpenConnection.v C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-653852dd-2325c9bc.zip Infected: Trojan-Downloader.Java.OpenConnection.v C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-138006ad-376e85c8.zip/BlackBox.class Infected: Exploit.Java.ByteVerify C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-138006ad-376e85c8.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-138006ad-376e85c8.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-138006ad-376e85c8.zip Infected: Trojan-Downloader.Java.OpenConnection.aa C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-330ed794-41c83d18.zip/web.exe Infected: Trojan-Downloader.Win32.Small.bkg C:\Documents and Settings\PaulF\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-330ed794-41c83d18.zip Infected: Trojan-Downloader.Win32.Small.bkg C:\Documents and Settings\PaulF\Local Settings\Temporary Internet Files\Content.IE5\QFCDILUZ\deliver46860[1].html Suspicious: Exploit.HTML.Mht C:\My Download Files\Incomplete\T-872159-Advanced Registry Doctor Pro 5.3.6.15.zip/Setup.exe Infected: Worm.Win32.VB.an C:\My Download Files\Incomplete\T-872159-Advanced Registry Doctor Pro 5.3.6.15.zip Infected: Worm.Win32.VB.an C:\My Download Files\zdnet\eMulePlus-1.1.Installer.exe/stream/data0006 Infected: Trojan.Win32.Qrap C:\My Download Files\zdnet\eMulePlus-1.1.Installer.exe/stream Infected: Trojan.Win32.Qrap C:\My Download Files\zdnet\eMulePlus-1.1.Installer.exe Infected: Trojan.Win32.Qrap C:\PalmDL\Palm SDK\crack_170077.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja C:\PalmDL\Palm SDK\crack_170077.exe Infected: Trojan-Downloader.Win32.INService.ja C:\PalmDL\Palm SDK\handmap 4.7.4-keygen-icu crack_216153.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja C:\PalmDL\Palm SDK\handmap 4.7.4-keygen-icu crack_216153.exe Infected: Trojan-Downloader.Win32.INService.ja C:\PalmDL\Palm SDK\handmap pro crack_137746.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja C:\PalmDL\Palm SDK\handmap pro crack_137746.exe Infected: Trojan-Downloader.Win32.INService.ja C:\System Volume Information\_restore{87426783-37B6-45D9-B169-8B6A8716E4B6}\RP8\A0008549.dll Infected: Trojan.Win32.Crypt.t C:\System Volume Information\_restore{87426783-37B6-45D9-B169-8B6A8716E4B6}\RP8\A0008550.exe Infected: Trojan.Win32.Crypt.t C:\System Volume Information\_restore{87426783-37B6-45D9-B169-8B6A8716E4B6}\RP9\A0008773.exe Infected: Trojan.Win32.Crypt.t C:\System Volume Information\_restore{87426783-37B6-45D9-B169-8B6A8716E4B6}\RP9\A0008774.exe Infected: Trojan.Win32.Crypt.t Scan process completed.

11-23-2005, 11:11 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,355 OS: N/A	Have HijackThis fix these: R3 - Default URLSearchHook is missing O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab? Locate & delete these files: C:\brmdf\cracksearcher (Works Great).zip C:\My Download Files\Incomplete\T-872159-Advanced Registry Doctor Pro 5.3.6.15.zip C:\My Download Files\zdnet\eMulePlus-1.1.Installer.exe C:\PalmDL\Palm SDK\crack_170077.exe C:\PalmDL\Palm SDK\handmap 4.7.4-keygen-icu crack_216153.exe Clear your Java Cache Click Start >Settings>Control Panel Click the Java Plugin Icon Click the Cache tab Click the Clear button and click OK to confirm Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel Follow the instructions outlined here to clear Sun Java's cache. Download and install CleanUp! Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK Perform an online scan with Internet Explorer with Panda ActiveScan Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply along with a new log You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Question - what have you done for the community today?

11-28-2005, 10:34 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,355 OS: N/A	Your log suggest that you're clean. Do you still have any more issues with your machine? If not, you should be set to go. ** Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

11-23-2005, 02:03 PM	#3 (permalink)
BobRiff I helped the forums. Join Date: Jul 2005 Posts: 29 OS: XP	Activescan log: Incident Status Location Virus:Trj/Clicker.IE Not disinfected C:\My Download Files\zdnet\BitTorrent-Absolute-Downloader-no.2.8.exe[ngpw36.exe] Virus:Trj/Clicker.IE Not disinfected C:\My Download Files\zdnet\BitTorrent-Absolute-Downloader-no.2.8.exe[Sngpw36.exe] Adware:Adware/Adblaster Not disinfected C:\My Download Files\zdnet\BitTorrent-Absolute-Downloader-no.2.8.exe[ADPROT.EXE] Virus:Trj/Clicker.IE Not disinfected C:\My Download Files\zdnet\crazaa.exe[ngpw36.exe] Virus:Trj/Clicker.IE Not disinfected C:\My Download Files\zdnet\crazaa.exe[Sngpw36.exe] Adware:Adware/Adblaster Not disinfected C:\My Download Files\zdnet\crazaa.exe[ADPROT.EXE] Virus:Trj/Seeker.BC Not disinfected C:\My Download Files\zdnet\pwlhck32.zip[CyberNet.reg] Adware:Adware/Trymedia Not disinfected C:\PalmDL\GFP\HongKong_Mahjong-dm.exe Adware:Adware/WUpd Not disinfected C:\PalmDL\HANDMAP-On-Ms\get_31993_HandMap.v4.7.4.PalmOS_crack.html Adware:Adware/IST.ISTBar Not disinfected C:\PalmDL\Palm SDK\handmap pro crack_137746.exe Possible Virus. Not disinfected C:\paulfbackup\Rs\Slurp\SLURP.ZIP[SLURP.EXE] Possible Virus. Not disinfected C:\sav\sav.zip[SLURP.EXE] Adware:adware/clickalchemy Not disinfected C:\WINDOWS\alchem.ini Adware:Adware/Imibar Not disinfected C:\WINDOWS\systb.dll Adware:adware/wupd Not disinfected C:\WINDOWS\system32\ide21201.vxd Hijack This log: Logfile of HijackThis v1.99.1 Scan saved at 4:02:45 PM, on 11/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\PaulF\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://businessonline.motorola.com/...l=/default.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093619948380 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131719009848 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AndersonRadio.local O17 - HKLM\Software\..\Telephony: DomainName = AndersonRadio.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AndersonRadio.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AndersonRadio.local O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = AndersonRadio.local O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

11-28-2005, 10:26 AM	#5 (permalink)
BobRiff I helped the forums. Join Date: Jul 2005 Posts: 29 OS: XP	HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 12:22:47 PM, on 11/28/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\PaulF\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://businessonline.motorola.com/...l=/default.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...te.cab?1093619 948380 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof....cab?113171900 9848 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AndersonRadio.local O17 - HKLM\Software\..\Telephony: DomainName = AndersonRadio.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AndersonRadio.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AndersonRadio.local O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = AndersonRadio.local O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

11-28-2005, 01:06 PM	#7 (permalink)
BobRiff I helped the forums. Join Date: Jul 2005 Posts: 29 OS: XP	Checked it again with Panda Online - Looks clean. Thanks for your help.