Virus problem?

rachsrib · 11-28-2005, 07:02 PM

I think I may have a virus, im new to this so any help would be great. What happens is my cd and disk drives no longer work and my computer will just randomly shut down. i also get alot of pop ups and an error messages that says i have some malicious stuff on my computer. here is the log from highjack this.

Logfile of HijackThis v1.99.1
Scan saved at 7:56:29 PM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crqt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\msed32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CU VPN\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\niuks.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r4.attbi.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {517564DA-70D9-1F28-3710-89856CB474C4} - C:\WINDOWS\system32\netgc.dll
O2 - BHO: (no name) - {DC98992B-F1C3-69CF-38DE-E4D2A0FB2B61} - C:\WINDOWS\sysou32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [msed32.exe] C:\WINDOWS\msed32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: University of Colorado at Boulder VPN Client.lnk = C:\Program Files\CU VPN\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/22...CX/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...02/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/secured...y/main/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crqt.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CU VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Thank you for any help

Ice4444 · 11-29-2005, 04:37 AM

Mod note:

Please refrain from dispensing unauthorised advice here.

Kindly read this before proceeding..

alba · 11-29-2005, 05:30 AM

Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

regards
alba

alba · 11-29-2005, 02:08 PM

Hello rachsrib

Please read through the instructions carefully before starting the fix.

Go to http://WindowsUpdate. & install all available Critical Updates. Patch your system with the most current security fixes and plug all known vulnerabilities.

===============================================

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Download CleanUp!.exe - Install

Download
CoolWebShredder
1. Open CWShredder and click - I AGREE
2. Click - Check For Update
3. Close CWShredder after updating

Download About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed.

Download HSFix.zip We will use this later

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.
===============================================

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

===============================================

When doing the fix, you shall be viewing these instructions from Notepad.
Copy the filename/s listed below.
Select/Highlight all the filenames & then click on Notepad's Edit menu & select Copy
• FILE DELETION LIST
C:\WINDOWS\msed32.exe
C:\WINDOWS\niuks.dll
C:\WINDOWS\netgc.dll
C:\WINDOWS\sysou32.dll

Launch KillBox.exe
1. Go to the File menu, and choose 'Paste from Clipboard' * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
2. Select/tick the following:
o Delete on Reboot
o End Explorer Shell While Killing File
o Unregister dlll Before deleting * if it's not grayed out
3. Click the RED X button.
4. Click Yes at the 'Delete on Reboot' prompt.
5. Click Yes at the 'Pending Operations prompt'.
* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.

===============================================

Next, reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

===============================================

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)
Double-click on it to open the Properties dialog.
- Under the General tab, note down the name of "Service name". We shall need it later.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in "Service name" & then click on the OK button

===============================================

Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry.

===============================================

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\niuks.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\niuks.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\niuks.dll/sp.html#10001

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {517564DA-70D9-1F28-3710-89856CB474C4} - C:\WINDOWS\system32\netgc.dll
O2 - BHO: (no name) - {DC98992B-F1C3-69CF-38DE-E4D2A0FB2B61} - C:\WINDOWS\sysou32.dll
O4 - HKLM\..\Run: [msed32.exe] C:\WINDOWS\msed32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crqt.exe

Please remember to close all other windows, including browsers then click Fix checked.
===============================================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

===============================================

Run Cleanup! with the following configuration:
1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
o Empty Recycle Bins
o Delete Cookies
o Delete Prefetch files (Windows XP only)
o [color=red[X][/color]Scan local drives for temporary files (Please uncheck this option)
o Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup

===============================================

Run CWShredder & click on Fix.

Run About Buster and click OK. Click Start > OK and then follow the prompts to scan (Choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. ONLY save the log file and post it here if About Buster does not fix all the problems.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

===============================================

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

===============================================

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Double-click the tmas-web-scan.exe icon
It will say "Loading TrendMicro definitions".
Click "Start Scan"

After it's done scanning, click "Scan Results"

Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

===============================================
In your next post, please include fresh logs from:

HiJackThis

About Buster

Ewido

Online scan

Antispyware.log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Regards
alba

rachsrib · 11-29-2005, 08:40 PM

thanks for the help im gonna give it a shot

rachsrib · 11-29-2005, 09:42 PM

question. im told to run killbox.exe where can i get this program.

i have found the program and dl it but now it will not let me paste from clipboard two of the files that i am supposed to put in there

Ried · 11-29-2005, 09:58 PM

Hello rachsrib,

Copy/paste them one at a time if you have to. Just do not allow a reboot yet when it asks, just continue with the rest of the instructions.

rachsrib · 11-29-2005, 11:06 PM

thanks

rachsrib · 11-29-2005, 11:26 PM

ok so now killbot will not let me delete
C:\WINDOWS\netgc.dll
C:\WINDOWS\sysou32.dll
it will not let me copy and paste in and it will not let me type it in and then click the red circle x, it will not let me do anything with these two, should i continue on, it let me do stuf with
C:\WINDOWS\msed32.exe
C:\WINDOWS\niuks.dll

alba · 11-30-2005, 12:33 AM

Hi rachsrib

Yes please carry on with the rest of the instructions, we will deal with those files in the next run

regards

alba

rachsrib · 11-30-2005, 05:04 PM

ok so here are the new logs i was not sure why but the antispyware.log file is only from before i fixed everything so i do not have a curent one. other problems were my computer would freeze up when i tried to delete the stuff tmas-web-scan.exe found so i deleted what i could. also the panda scan would not work, my computer would just keep shuting itself down when i tried. other stuff is that in my tool bar i have an icon that is a shield with a red x and it says there may be spyware. i still get a pop up saying that there is suspicous activity as well. thanks

Logfile of HijackThis v1.99.1
Scan saved at 4:59:20 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CU VPN\cvpnd.exe
C:\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r4.attbi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7A97B913-C0A6-6EAC-43F1-2AC5E32BFB43} - C:\WINDOWS\system32\appxg.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: University of Colorado at Boulder VPN Client.lnk = C:\Program Files\CU VPN\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/22...CX/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...02/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/secured...y/main/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CU VPN\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:35:23 PM, 11/30/2005
+ Report-Checksum: 95A55A56

+ Scan result:

:mozilla.7:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.17:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.18:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.19:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.20:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.50:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.51:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.52:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\WINDOWS\_default.pif:txeltf -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:txrewt -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:ualbks -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:uatham -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:ukbxeu -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:utchus -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:uudaxn -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:uxnjka -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:vgsojg -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:vhizzg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:vipjze -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:vjxqto -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:vkurzk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:vyuyob -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:wljwml -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:wncvkp -> Adware.SearchPage : Cleaned with backup
C:\WINDOWS\_default.pif:wnvkme -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:wrvlah -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:xcaajq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:xcomgf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:xmtbmg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:xxiphn -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:yaqwey -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ycofqj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:yeseoc -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_default.pif:ygvmfu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:yinmad -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ynablx -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:yqnenk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:yueivs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:yxtmlv -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_default.pif:yziqvc -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:zdvpwe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:zibqhh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:zjxbke -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:zmmhiy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:zvlkmj -> Trojan.Agent.bi : Cleaned with backup

::Report End

boutBuster 5.1, reference file 33
Scan started on [11/30/2005] at [5:00:05 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:00:56 PM

alba · 12-01-2005, 01:41 PM

HiYa rachsrib

The error message

Quote:

i still get a pop up saying that there is suspicous activity as well. thanks

Can you tell me what it says or get a screen shot of it
Press the print Screen key, then paste onto a word document and attach to your next post

You do not appear to have an anti-virus application installed on this machine. Let's start off by getting you a free but yet effective antivirus program. Please choose one from any of these 3 programs which are free for home use:

Once the antivirus is downloaded, please update the virus definitions and run a scan.

===============================================

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Next, reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {7A97B913-C0A6-6EAC-43F1-2AC5E32BFB43} - C:\WINDOWS\system32\appxg.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

===============================================

Run CWShredder & click on Fix.

Run About Buster and click OK. Click Start > OK and then follow the prompts to scan (Choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. ONLY save the log file and post it here if About Buster does not fix all the problems.

===============================================

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

Checkmark/tick - "Ignore Safe System Info Streams"
Click the "Scan" button
When it has finished scanning,
Click the "save log" button

===============================================

REBOOT TO NORMAL MODE

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

In your next post, please include fresh logs from:

HiJackThis

Online scan logs

About BusterADS Spy.log

ADS Spy.log

Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Regards

alba

rachsrib · 12-02-2005, 12:45 PM

ok so did that stuff, but when ever i try top use the online scan my comp would just shut down so i couldnt do those but here are the new logs. the icon in the tool bar no longer pops up and for some reason my internet explore shortcut disapeared, no big deal, havent got the popup in while so thats good. it looks like the main problem now is my computer shutting down frequently, could this be a memory or hard drive problem?

Logfile of HijackThis v1.99.1
Scan saved at 4:59:20 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CU VPN\cvpnd.exe
C:\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r4.attbi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7A97B913-C0A6-6EAC-43F1-2AC5E32BFB43} - C:\WINDOWS\system32\appxg.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: University of Colorado at Boulder VPN Client.lnk = C:\Program Files\CU VPN\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/22...CX/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...02/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/secured...y/main/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CU VPN\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

C:\WINDOWS\aucfg.ini : okwpgl (3567 bytes)
C:\WINDOWS\bootstat.dat : dyjqcv (13581 bytes)
C:\WINDOWS\bootstat.dat : qmxndr (11736 bytes)
C:\WINDOWS\cadx2.ini : vztdef (11151 bytes)
C:\WINDOWS\clock.avi : ifqaxb (7471 bytes)
C:\WINDOWS\dahotfix.log : agifzm (3567 bytes)
C:\WINDOWS\FHM 100 Sexiest 2002.dat : ljnncp (11736 bytes)
C:\WINDOWS\GetServer.ini : ebytfz (7471 bytes)
C:\WINDOWS\iis6.log : wcryzj (3567 bytes)
C:\WINDOWS\KB839645.log : cpiwsl (13581 bytes)
C:\WINDOWS\KB839645.log : jopeok (13581 bytes)
C:\WINDOWS\KB840987.log : bpikqm (11152 bytes)
C:\WINDOWS\KB840987.log : vpakmv (11151 bytes)
C:\WINDOWS\KB841873.log : lhapkx (3567 bytes)
C:\WINDOWS\KB841873.log : nqtpgy (3567 bytes)
C:\WINDOWS\msgsocm.log : alamll (11736 bytes)
C:\WINDOWS\msnsetuplog.txt : smtsnw (5207 bytes)
C:\WINDOWS\nsw.log : kmmxhg (3567 bytes)
C:\WINDOWS\n_jewhgg.txt : vkfufi (0 bytes)
C:\WINDOWS\n_kmrgot.txt : nkqaht (0 bytes)
C:\WINDOWS\n_majpxc.log : glifbv (0 bytes)
C:\WINDOWS\n_qhngqc.dat : yebsdg (0 bytes)
C:\WINDOWS\Q814033.log : pmrrvn (11736 bytes)
C:\WINDOWS\Q819696.log : hncwpy (7471 bytes)
C:\WINDOWS\zkvmx.log : gkwpdp (13581 bytes)
C:\WINDOWS\_default.pif : azcrfk (3567 bytes)
C:\WINDOWS\_default.pif : ddxpuy (13581 bytes)
C:\WINDOWS\_default.pif : djlxjq (11736 bytes)
C:\WINDOWS\_default.pif : enkpif (3567 bytes)
C:\WINDOWS\_default.pif : eseawl (11736 bytes)
C:\WINDOWS\_default.pif : fykxdz (11736 bytes)
C:\WINDOWS\_default.pif : gxizql (3567 bytes)
C:\WINDOWS\_default.pif : hnzymi (3567 bytes)
C:\WINDOWS\_default.pif : ityxqb (11152 bytes)
C:\WINDOWS\_default.pif : iysela (4870 bytes)
C:\WINDOWS\_default.pif : kgmaxg (3567 bytes)
C:\WINDOWS\_default.pif : mmzkod (11157 bytes)
C:\WINDOWS\_default.pif : pihtdo (11736 bytes)
C:\WINDOWS\_default.pif : pmhssy (7473 bytes)
C:\WINDOWS\_default.pif : qanqzm (3567 bytes)
C:\WINDOWS\_default.pif : rdzizk (3567 bytes)
C:\WINDOWS\_default.pif : rjlmaa (3567 bytes)
C:\WINDOWS\_default.pif : sgtvdw (7471 bytes)
C:\WINDOWS\_default.pif : tvbimn (3567 bytes)
C:\WINDOWS\_default.pif : vwquoa (11152 bytes)
C:\WINDOWS\_default.pif : wkecda (7471 bytes)
C:\WINDOWS\_default.pif : xegtpn (11736 bytes)
C:\WINDOWS\_default.pif : xsnfto (13581 bytes)
C:\WINDOWS\_default.pif : xzclxc (7423 bytes)
C:\WINDOWS\_default.pif : zfahbt (11736 bytes)
C:\WINDOWS\_default.pif : zjagyy (4870 bytes)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:38:13 PM, 12/2/2005
+ Report-Checksum: E3C1B18A

+ Scan result:

:mozilla.12:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.15:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.20:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.33:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.45:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.60:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.61:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.62:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.63:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup

::Report End

alba · 12-03-2005, 12:51 AM

Hello again rachsrib

Please carry out the following instructions

Please open HIjackThis, and go to:
Config || Misc Tools
click the button labelled "Open ADSSpy"
Checkmark/tick - "Ignore Safe System Info Streams" and "Quick Scan (Windows based folders only)"
Click the "Scan" button
When it has finished scanning, checkmark/tick all that entries that it found
Click the "remove selected" button, then Click "Yes" at the following prompt
Click the "Scan" button once again.
Click the "Save Log" button once this scan is complete.

Please post that log here for review.

Kind regards

alba

rachsrib · 12-03-2005, 12:34 PM

should i do this in safe mode or in regular mode

rachsrib · 12-03-2005, 01:06 PM

ok so i did the scan and removed everything it found and did the scan again and it found nothing so i have nothing to post here, think that is good news.
thanks for all the help

alba · 12-03-2005, 04:17 PM

hiya rachsrib

your PC is clean

Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:

Clear & reset System Restore's cache
- click Start >> Run - type SYSDM.CPL & press Enter
- Select the System Restore Tab
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
- Then untick the same checkbox & click OK
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will further enhance your safety

IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here > Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

alba

rachsrib · 12-03-2005, 04:30 PM

thanks, my computer is running well with no more of those pop ups

11-28-2005, 07:02 PM	#1 (permalink)
rachsrib Registered User Join Date: Nov 2005 Posts: 10 OS: xp	Virus problem? I think I may have a virus, im new to this so any help would be great. What happens is my cd and disk drives no longer work and my computer will just randomly shut down. i also get alot of pop ups and an error messages that says i have some malicious stuff on my computer. here is the log from highjack this. Logfile of HijackThis v1.99.1 Scan saved at 7:56:29 PM, on 11/28/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\crqt.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\msed32.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\CU VPN\cvpnd.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\user\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\niuks.dll/sp.html#10001 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\niuks.dll/sp.html#10001 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\niuks.dll/sp.html#10001 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\niuks.dll/sp.html#10001 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\niuks.dll/sp.html#10001 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\niuks.dll/sp.html#10001 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r4.attbi.com R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {517564DA-70D9-1F28-3710-89856CB474C4} - C:\WINDOWS\system32\netgc.dll O2 - BHO: (no name) - {DC98992B-F1C3-69CF-38DE-E4D2A0FB2B61} - C:\WINDOWS\sysou32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe O4 - HKLM\..\Run: [msed32.exe] C:\WINDOWS\msed32.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: University of Colorado at Boulder VPN Client.lnk = C:\Program Files\CU VPN\vpngui.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/22...CX/FlashAX.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...02/mcfscan.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/secured...y/main/kdx.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crqt.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CU VPN\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) Thank you for any help

11-29-2005, 04:37 AM	#2 (permalink)
Ice4444 Registered User Join Date: Apr 2005 Location: Cape Town, South Afica Posts: 35 OS: Windows XP SP3	Mod note: Please refrain from dispensing unauthorised advice here. Kindly read this before proceeding.. Last edited by sUBs; 11-29-2005 at 12:11 PM.

11-29-2005, 05:30 AM	#3 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hi there and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". regards alba __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

11-29-2005, 02:08 PM	#4 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hello rachsrib Please read through the instructions carefully before starting the fix. Go to http://WindowsUpdate. & install all available Critical Updates. Patch your system with the most current security fixes and plug all known vulnerabilities. =============================================== Please download these additional files/programs. Do not run them until instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. Download CleanUp!.exe - Install Download CoolWebShredder 1. Open CWShredder and click - I AGREE 2. Click - Check For Update 3. Close CWShredder after updating Download About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed. Download HSFix.zip We will use this later If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup Don't run it yet! Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. =============================================== 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise. If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. =============================================== If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Tick - Show hidden files and folder Untick - Hide file extensions for known types Untick - Hide protected operating system files Click Yes to confirm & then click OK =============================================== When doing the fix, you shall be viewing these instructions from Notepad. Copy the filename/s listed below. Select/Highlight all the filenames & then click on Notepad's Edit menu & select Copy • FILE DELETION LIST C:\WINDOWS\msed32.exe C:\WINDOWS\niuks.dll C:\WINDOWS\netgc.dll C:\WINDOWS\sysou32.dll Launch KillBox.exe 1. Go to the File menu, and choose 'Paste from Clipboard' * this feature does not work on older versons of Killbox Click the dropdown-arrow next to the "Full Path of File to Delete" field. Verify that the filenames you pasted are found in there. 2. Select/tick the following: o Delete on Reboot o End Explorer Shell While Killing File o Unregister dlll Before deleting * if it's not grayed out 3. Click the RED X button. 4. Click Yes at the 'Delete on Reboot' prompt. 5. Click Yes at the 'Pending Operations prompt'. * If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually . * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again. =============================================== Next, reboot your computer in SafeMode : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. =============================================== Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) Double-click on it to open the Properties dialog. Under the General tab, note down the name of "Service name". We shall need it later. Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in "Service name" & then click on the OK button =============================================== Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry. =============================================== CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS Run a scan with HiJackThis & select/tick the following & click "Fix checked" : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\niuks.dll/sp.html#10001 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\niuks.dll/sp.html#10001 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\niuks.dll/sp.html#10001 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\niuks.dll/sp.html#10001 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\niuks.dll/sp.html#10001 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\niuks.dll/sp.html#10001 (FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\**.dll/sp.htm) R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {517564DA-70D9-1F28-3710-89856CB474C4} - C:\WINDOWS\system32\netgc.dll O2 - BHO: (no name) - {DC98992B-F1C3-69CF-38DE-E4D2A0FB2B61} - C:\WINDOWS\sysou32.dll O4 - HKLM\..\Run: [msed32.exe] C:\WINDOWS\msed32.exe O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crqt.exe Please remember to close all other windows, including browsers then click Fix checked. =============================================== If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Tick - Show hidden files and folder Untick - Hide file extensions for known types Untick - Hide protected operating system files Click Yes to confirm & then click OK =============================================== Run Cleanup! with the following configuration: 1. Click Options... 2. Move the arrow down to Custom CleanUp! 3. Put a check next to the following: o Empty Recycle Bins o Delete Cookies o Delete Prefetch files (Windows XP only) o [color=red[X][/color]Scan local drives for temporary files (Please uncheck** this option) o Cleanup! All Users 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup =============================================== Run CWShredder & click on Fix. Run About Buster and click OK. Click Start > OK and then follow the prompts to scan (Choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. ONLY save the log file and post it here if About Buster does not fix all the problems. Open Ad-aware and do a full scan. Remove all it finds. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" .Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. =============================================== REBOOT TO NORMAL MODE Perform an online scan with Internet Explorer with Panda ActiveScan Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan =============================================== Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button). Double-click the tmas-web-scan.exe icon It will say "Loading TrendMicro definitions". Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. =============================================== In your next post, please include fresh logs from: HiJackThis About Buster Ewido Online scan Antispyware.log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now Regards alba __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

11-29-2005, 09:42 PM	#6 (permalink)
rachsrib Registered User Join Date: Nov 2005 Posts: 10 OS: xp	question. im told to run killbox.exe where can i get this program. i have found the program and dl it but now it will not let me paste from clipboard two of the files that i am supposed to put in there Last edited by rachsrib; 11-29-2005 at 09:53 PM. Reason: old news

11-29-2005, 08:40 PM	#5 (permalink)
rachsrib Registered User Join Date: Nov 2005 Posts: 10 OS: xp	thanks for the help im gonna give it a shot

11-29-2005, 09:58 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 24,048 OS: WinXP and Vista	Hello rachsrib, Copy/paste them one at a time if you have to. Just do not allow a reboot yet when it asks, just continue with the rest of the instructions. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-29-2005, 11:06 PM	#8 (permalink)
rachsrib Registered User Join Date: Nov 2005 Posts: 10 OS: xp	thanks

11-29-2005, 11:26 PM	#9 (permalink)
rachsrib Registered User Join Date: Nov 2005 Posts: 10 OS: xp	ok so now killbot will not let me delete C:\WINDOWS\netgc.dll C:\WINDOWS\sysou32.dll it will not let me copy and paste in and it will not let me type it in and then click the red circle x, it will not let me do anything with these two, should i continue on, it let me do stuf with C:\WINDOWS\msed32.exe C:\WINDOWS\niuks.dll

11-30-2005, 12:33 AM	#10 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hi rachsrib Yes please carry on with the rest of the instructions, we will deal with those files in the next run regards alba __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

11-30-2005, 05:04 PM	#11 (permalink)
rachsrib Registered User Join Date: Nov 2005 Posts: 10 OS: xp	ok so here are the new logs i was not sure why but the antispyware.log file is only from before i fixed everything so i do not have a curent one. other problems were my computer would freeze up when i tried to delete the stuff tmas-web-scan.exe found so i deleted what i could. also the panda scan would not work, my computer would just keep shuting itself down when i tried. other stuff is that in my tool bar i have an icon that is a shield with a red x and it says there may be spyware. i still get a pop up saying that there is suspicous activity as well. thanks Logfile of HijackThis v1.99.1 Scan saved at 4:59:20 PM, on 11/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CU VPN\cvpnd.exe C:\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\kdx\KHost.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r4.attbi.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {7A97B913-C0A6-6EAC-43F1-2AC5E32BFB43} - C:\WINDOWS\system32\appxg.dll (file missing) O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: University of Colorado at Boulder VPN Client.lnk = C:\Program Files\CU VPN\vpngui.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/22...CX/FlashAX.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...02/mcfscan.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/secured...y/main/kdx.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CU VPN\cvpnd.exe O23 - Service: ewido security suite control - ewido networks - C:\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 5:35:23 PM, 11/30/2005 + Report-Checksum: 95A55A56 + Scan result: :mozilla.7:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup :mozilla.17:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup :mozilla.18:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.19:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.20:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.50:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup :mozilla.51:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup :mozilla.52:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup C:\WINDOWS\_default.pif:txeltf -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:txrewt -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:ualbks -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:uatham -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:ukbxeu -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:utchus -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:uudaxn -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:uxnjka -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:vgsojg -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:vhizzg -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:vipjze -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:vjxqto -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:vkurzk -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:vyuyob -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:wljwml -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:wncvkp -> Adware.SearchPage : Cleaned with backup C:\WINDOWS\_default.pif:wnvkme -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:wrvlah -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:xcaajq -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:xcomgf -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:xmtbmg -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:xxiphn -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:yaqwey -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:ycofqj -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:yeseoc -> Spyware.SearchPage : Cleaned with backup C:\WINDOWS\_default.pif:ygvmfu -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:yinmad -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:ynablx -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:yqnenk -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:yueivs -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:yxtmlv -> Spyware.SearchPage : Cleaned with backup C:\WINDOWS\_default.pif:yziqvc -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:zdvpwe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:zibqhh -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:zjxbke -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\_default.pif:zmmhiy -> TrojanDownloader.Agent.bq : Cleaned with backup C:\WINDOWS\_default.pif:zvlkmj -> Trojan.Agent.bi : Cleaned with backup ::Report End boutBuster 5.1, reference file 33 Scan started on [11/30/2005] at [5:00:05 PM] ------------------------------------------------ No Ads Found! ------------------------------------------------ No Files Found! ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 5:00:56 PM

12-02-2005, 12:45 PM	#13 (permalink)
rachsrib Registered User Join Date: Nov 2005 Posts: 10 OS: xp	ok so did that stuff, but when ever i try top use the online scan my comp would just shut down so i couldnt do those but here are the new logs. the icon in the tool bar no longer pops up and for some reason my internet explore shortcut disapeared, no big deal, havent got the popup in while so thats good. it looks like the main problem now is my computer shutting down frequently, could this be a memory or hard drive problem? Logfile of HijackThis v1.99.1 Scan saved at 4:59:20 PM, on 11/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CU VPN\cvpnd.exe C:\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\kdx\KHost.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r4.attbi.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {7A97B913-C0A6-6EAC-43F1-2AC5E32BFB43} - C:\WINDOWS\system32\appxg.dll (file missing) O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: University of Colorado at Boulder VPN Client.lnk = C:\Program Files\CU VPN\vpngui.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/22...CX/FlashAX.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...02/mcfscan.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/secured...y/main/kdx.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CU VPN\cvpnd.exe O23 - Service: ewido security suite control - ewido networks - C:\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) C:\WINDOWS\aucfg.ini : okwpgl (3567 bytes) C:\WINDOWS\bootstat.dat : dyjqcv (13581 bytes) C:\WINDOWS\bootstat.dat : qmxndr (11736 bytes) C:\WINDOWS\cadx2.ini : vztdef (11151 bytes) C:\WINDOWS\clock.avi : ifqaxb (7471 bytes) C:\WINDOWS\dahotfix.log : agifzm (3567 bytes) C:\WINDOWS\FHM 100 Sexiest 2002.dat : ljnncp (11736 bytes) C:\WINDOWS\GetServer.ini : ebytfz (7471 bytes) C:\WINDOWS\iis6.log : wcryzj (3567 bytes) C:\WINDOWS\KB839645.log : cpiwsl (13581 bytes) C:\WINDOWS\KB839645.log : jopeok (13581 bytes) C:\WINDOWS\KB840987.log : bpikqm (11152 bytes) C:\WINDOWS\KB840987.log : vpakmv (11151 bytes) C:\WINDOWS\KB841873.log : lhapkx (3567 bytes) C:\WINDOWS\KB841873.log : nqtpgy (3567 bytes) C:\WINDOWS\msgsocm.log : alamll (11736 bytes) C:\WINDOWS\msnsetuplog.txt : smtsnw (5207 bytes) C:\WINDOWS\nsw.log : kmmxhg (3567 bytes) C:\WINDOWS\n_jewhgg.txt : vkfufi (0 bytes) C:\WINDOWS\n_kmrgot.txt : nkqaht (0 bytes) C:\WINDOWS\n_majpxc.log : glifbv (0 bytes) C:\WINDOWS\n_qhngqc.dat : yebsdg (0 bytes) C:\WINDOWS\Q814033.log : pmrrvn (11736 bytes) C:\WINDOWS\Q819696.log : hncwpy (7471 bytes) C:\WINDOWS\zkvmx.log : gkwpdp (13581 bytes) C:\WINDOWS\_default.pif : azcrfk (3567 bytes) C:\WINDOWS\_default.pif : ddxpuy (13581 bytes) C:\WINDOWS\_default.pif : djlxjq (11736 bytes) C:\WINDOWS\_default.pif : enkpif (3567 bytes) C:\WINDOWS\_default.pif : eseawl (11736 bytes) C:\WINDOWS\_default.pif : fykxdz (11736 bytes) C:\WINDOWS\_default.pif : gxizql (3567 bytes) C:\WINDOWS\_default.pif : hnzymi (3567 bytes) C:\WINDOWS\_default.pif : ityxqb (11152 bytes) C:\WINDOWS\_default.pif : iysela (4870 bytes) C:\WINDOWS\_default.pif : kgmaxg (3567 bytes) C:\WINDOWS\_default.pif : mmzkod (11157 bytes) C:\WINDOWS\_default.pif : pihtdo (11736 bytes) C:\WINDOWS\_default.pif : pmhssy (7473 bytes) C:\WINDOWS\_default.pif : qanqzm (3567 bytes) C:\WINDOWS\_default.pif : rdzizk (3567 bytes) C:\WINDOWS\_default.pif : rjlmaa (3567 bytes) C:\WINDOWS\_default.pif : sgtvdw (7471 bytes) C:\WINDOWS\_default.pif : tvbimn (3567 bytes) C:\WINDOWS\_default.pif : vwquoa (11152 bytes) C:\WINDOWS\_default.pif : wkecda (7471 bytes) C:\WINDOWS\_default.pif : xegtpn (11736 bytes) C:\WINDOWS\_default.pif : xsnfto (13581 bytes) C:\WINDOWS\_default.pif : xzclxc (7423 bytes) C:\WINDOWS\_default.pif : zfahbt (11736 bytes) C:\WINDOWS\_default.pif : zjagyy (4870 bytes) --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 1:38:13 PM, 12/2/2005 + Report-Checksum: E3C1B18A + Scan result: :mozilla.12:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup :mozilla.15:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup :mozilla.20:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup :mozilla.33:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup :mozilla.45:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.60:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.61:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.62:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.63:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zraki9rs.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup C:\Documents and Settings\user\Cookies\user@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup ::Report End

12-03-2005, 12:51 AM	#14 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hello again rachsrib Please carry out the following instructions Please open HIjackThis, and go to: Config \|\| Misc Tools click the button labelled "Open ADSSpy" Checkmark/tick - *"Ignore Safe System Info Streams"* and *"Quick Scan (Windows based folders only)"* Click the "Scan" button When it has finished scanning, checkmark/tick all that entries that it found Click the "remove selected" button, then Click "Yes" at the following prompt Click the "Scan" button once again. Click the "Save Log" button once this scan is complete. Please post that log here for review. Kind regards alba __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

12-03-2005, 12:34 PM	#15 (permalink)
rachsrib Registered User Join Date: Nov 2005 Posts: 10 OS: xp	should i do this in safe mode or in regular mode

12-03-2005, 01:06 PM	#16 (permalink)
rachsrib Registered User Join Date: Nov 2005 Posts: 10 OS: xp	ok so i did the scan and removed everything it found and did the scan again and it found nothing so i have nothing to post here, think that is good news. thanks for all the help

12-03-2005, 04:17 PM	#17 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	hiya rachsrib your PC is clean Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure: Clear & reset System Restore's cache click Start >> Run - type SYSDM.CPL & press Enter Select the System Restore Tab Tick on the checkbox - Turn off System Restore on all drives Click Apply Then untick the same checkbox & click OK Make your Internet Explorer more secure - This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialize and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here: Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using SpywareBlaster to protect your computer from Spyware and Malware Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Weather Watcher - Free taskbar weather program that is free, malware free, and resource light. Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here > Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. alba __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

12-03-2005, 04:30 PM	#18 (permalink)
rachsrib Registered User Join Date: Nov 2005 Posts: 10 OS: xp	thanks, my computer is running well with no more of those pop ups