User Tag List

Websiteviewer-Please help

This is a discussion on Websiteviewer-Please help within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Websiteviewer porn dialer has found its way onto my computer. Please help. Here's my Hijack this log: Logfile of HijackThis


 
 
Thread Tools Search this Thread
Old 12-28-2004, 02:59 PM   #1
Guest
 
Join Date: Dec 2004
Posts: 20
OS:



Websiteviewer porn dialer has found its way onto my computer. Please help. Here's my Hijack this log:

Logfile of HijackThis v1.99.0
Scan saved at 4:14:51 PM, on 12/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\stvolat.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\windows\system32\saie.exe
C:\WINDOWS\System32\tibs3.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\pifninst.exe
C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\System32\winupdt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1989CDA8-1898-9E66-F3AF-1C7B4EFF9DBD} - C:\WINDOWS\msih32.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vbiqhfmogzn] C:\WINDOWS\System32\stvolat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AutoLoader5swo1JXlabXU] "C:\WINDOWS\System32\pluetup.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [ejgf] c:\windows\ejgf.exe
O4 - HKCU\..\Run: [Kow8RXGnl] pifninst.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - https://public.windupdates.com/get_fi...271ab95b94951b
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - https://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - https://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://download.av.aol.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - https://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/A...dwnldr_ext.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A5A0F6E-A778-47AA-9ABF-E8D9A544D533}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\javaya.exe (file missing)

Thanks in advance!
Cropduster is offline  
Sponsored Links
Advertisement
 
Old 12-28-2004, 04:24 PM   #2
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,821
OS: Every Windows OS known to man


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download FixAgent and unzip it. Run FixAgent.exe. It should fix something. If nothing is fixed, skip to the next step for the HijackThis fixes. If something is found, also download home_missing_114 and unzip it. Run the Home winkey missing batch file. Remember: ONLY run home_missing_114 if FixAgent found something.

Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

Run an online virus scan at TrendMicro. Make sure to select the Autoclean option.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\System32\stvolat.exe
C:\windows\system32\saie.exe
C:\WINDOWS\System32\tibs3.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\pifninst.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\System32\winupdt.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

CxtPls
AutoUpdate
VBouncer

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1989CDA8-1898-9E66-F3AF-1C7B4EFF9DBD} - C:\WINDOWS\msih32.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O4 - HKLM\..\Run: [vbiqhfmogzn] C:\WINDOWS\System32\stvolat.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoader5swo1JXlabXU] "C:\WINDOWS\System32\pluetup.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [ejgf] c:\windows\ejgf.exe
O4 - HKCU\..\Run: [Kow8RXGnl] pifninst.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - https://public.windupdates.com/get_f...71 ab95b94951b
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - https://download.weatherbug.com/mini...ransporter.cab?
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\javaya.exe (file missing)

Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

c:\windows\ejgf.exe
C:\WINDOWS\msih32.dll
C:\WINDOWS\questmod.dll
C:\WINDOWS\System32\pluetup.exe
C:\WINDOWS\System32\stvolat.exe
C:\windows\system32\saie.exe
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\pifninst.exe
C:\Program Files\CxtPls\
C:\Program Files\AutoUpdate\
C:\Program Files\VBouncer\

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.
CTSNKY is offline  
Old 12-29-2004, 11:28 AM   #3
Guest
 
Join Date: Dec 2004
Posts: 20
OS:



Here is my new highjack log.
all seems normal at this time.
Thanks in advance.

Logfile of HijackThis v1.99.0
Scan saved at 1:19:13 PM, on 12/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Hijack This\HijackThis.exe
Cropduster is offline  
Sponsored Links
Advertisement
 
Old 12-29-2004, 02:02 PM   #4
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,821
OS: Every Windows OS known to man


Whoops! You only posted the top half.....need it all please.
CTSNKY is offline  
Old 01-04-2005, 09:31 PM   #5
Guest
 
Join Date: Dec 2004
Posts: 20
OS:



Logfile of HijackThis v1.99.0
Scan saved at 10:37:07 PM, on 1/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Kow8RXGnl] pifninst.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - https://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://download.av.aol.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - https://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/A...dwnldr_ext.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A5A0F6E-A778-47AA-9ABF-E8D9A544D533}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
Cropduster is offline  
Old 01-05-2005, 04:09 AM   #6
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,821
OS: Every Windows OS known to man


Boot into Safe Mode.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Kow8RXGnl] pifninst.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\jklwj.dll
pifninst.exe

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.
CTSNKY is offline  
Old 01-06-2005, 11:30 AM   #7
Guest
 
Join Date: Dec 2004
Posts: 20
OS:



Only one item appeared when I scaned in SAFE MODE, but when I scan in regular mode all six appear. I deleted the one that appeared in SAFE MODE.

I did a search in SAFE MODE for C:\WINDOWS\jklwj.dllpifninst.exe. Nothing was found.

Here is my new Hijack This scan. I thought I posted it yesterday, but I can't find it so here it is again.

Thank you very much.

Logfile of HijackThis v1.99.0
Scan saved at 1:22:05 PM, on 1/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Kow8RXGnl] pifninst.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - https://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://download.av.aol.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - https://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/A...dwnldr_ext.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A5A0F6E-A778-47AA-9ABF-E8D9A544D533}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
Cropduster is offline  
Old 01-06-2005, 11:44 AM   #8
TSF Team, Emeritus
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,311
OS: Windows 98 & Windows XP Home/Pro

My System

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Kow8RXGnl] pifninst.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\jklwj.dll
pifninst.exe

Reboot into Normal Mode and run new HijackThis scan. Save the log file and run HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Old 01-06-2005, 04:33 PM   #9
Guest
 
Join Date: Dec 2004
Posts: 20
OS:



Scanned at: 12:14:36 AM on: 12/29/2004


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19


Removed Data Streams:
C:\WINDOWS\axbridge.dll:hvyyt
C:\WINDOWS\explorer.scf:ppqml
C:\WINDOWS\KB821557.log:dkwpe
C:\WINDOWS\Q324380.log:kuxne


Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19


Removed Data Streams:
C:\WINDOWS\axbridge.dll:hvyyt
C:\WINDOWS\explorer.scf:ppqml
C:\WINDOWS\KB821557.log:dkwpe
C:\WINDOWS\Q324380.log:kuxne


Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 5:13:19 PM on: 1/6/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


HiJackThis Analyzer

Entry Kind
(Safe, Nasty, Unknown) Description Tip
Logfile of HijackThis v1.99.0
Safe. Shows the version of HijackThis an. The newest version is: v1.99.0! This should be the newest version. (v1.99.0)
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Possibly out of date Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106! The version (6.00.2600.0000) is out of date. Check Windowsupdate to update the Internet Explorer.
C:\WINDOWS\System32\smss.exe
Safe. running process. (smss.exe)
Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen.

C:\WINDOWS\system32\winlogon.exe
Safe. running process. (winlogon.exe)
Systemprozess - Windows Login Routine

C:\WINDOWS\system32\services.exe
Safe. running process. (services.exe)
Systemprozess - Verwaltet die Systemdienste.

C:\WINDOWS\system32\lsass.exe
Safe. running process. (lsass.exe)
Systemprozess

C:\WINDOWS\system32\svchost.exe
Safe. running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.

C:\WINDOWS\System32\svchost.exe
Safe. running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.

C:\WINDOWS\Explorer.EXE
Safe. running process. (Explorer.EXE)
Systemprozess für Desktop und Taskleiste.

C:\WINDOWS\system32\spoolsv.exe
Safe. running process. (spoolsv.exe)
Systemprozess

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
Safe. running process. (AOLacsd.exe)
Part of AOL
Possibly nasty! According to our database this process runs normally in c:\programme\gemeinsame dateien\aol\acs! Check if you know this process and arrange a viruscheck where required.
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
Safe. running process. (mcvsrte.exe)

Possibly nasty! According to our database this process runs normally in c:\program files\mcafee.com\vso\! Check if you know this process and arrange a viruscheck where required.
C:\WINDOWS\system32\pctspk.exe
Safe. running process. (pctspk.exe)
Modemtreiber

C:\WINDOWS\System32\svchost.exe
Safe. running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Safe. running process. (DirectCD.exe)

Possibly nasty! According to our database this process runs normally in c:\program files\roxio\winoncd\directcd\! Check if you know this process and arrange a viruscheck where required.
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
Safe. running process. (jusched.exe)

Possibly nasty! According to our database this process runs normally in c:\program files\java\j2re1.4.2_05\bin\! Check if you know this process and arrange a viruscheck where required.
C:\Program Files\Real\RealPlayer\RealPlay.exe
Safe. running process. (RealPlay.exe)

Possibly nasty! According to our database this process runs normally in c:\program files\real\realplayer\! Check if you know this process and arrange a viruscheck where required.
C:\Program Files\QuickTime\qttask.exe
Safe. running process. (qttask.exe)
Part of QuickTime
Possibly nasty! According to our database this process runs normally in c:\program files\quicktime\! Check if you know this process and arrange a viruscheck where required.
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
Safe. running process. (mcshield.exe)
McAfee VirusScan
Possibly nasty! According to our database this process runs normally in c:\program files\network associates\virusscan\! Check if you know this process and arrange a viruscheck where required.
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
Safe. running process. (AOLDial.exe)
Part of AOL

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
Unknown running process. (AOLSPScheduler.exe)
This is a unknown process.

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
Safe. running process. (mcvsshld.exe)

Possibly nasty! According to our database this process runs normally in c:\program files\mcafee.com\vso\! Check if you know this process and arrange a viruscheck where required.
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
Safe. running process. (mcagent.exe)

Possibly nasty! According to our database this process runs normally in c:\program files\mcafee.com\agent\! Check if you know this process and arrange a viruscheck where required.
C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
Safe. running process. (PopUpKiller.exe)

Possibly nasty! According to our database this process runs normally in c:\program files\popup killer\! Check if you know this process and arrange a viruscheck where required.
c:\progra~1\mcafee.com\vso\mcvsescn.exe
Safe. running process. (mcvsescn.exe)


C:\Program Files\America Online 9.0b\aoltray.exe
Safe. running process. (aoltray.exe)
AOL Trayicon Not dangerous, but unnecessary.
Possibly nasty! According to our database this process runs normally in c:\program files\aol 9.0\! Check if you know this process and arrange a viruscheck where required.
C:\Program Files\FinePixViewer\QuickDCF.exe
Safe. running process. (QuickDCF.exe)
Finepix Camera
Possibly nasty! According to our database this process runs normally in c:\program files\finepixviewer\! Check if you know this process and arrange a viruscheck where required.
C:\Program Files\Hijack This\HijackThis.exe
Safe. running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
Safe.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
Safe.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
Safe.
R3 - Default URLSearchHook is missing
Nasty Should be fixed if you do not know the application or if no application is mentioned. This entry should be fixed.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
Safe. Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 99 %
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
Safe. Entries found in this registry zone are potentially nasty. This application ([8E718888-423F-11D2-876E-00A0C9082467] - Result: 8E718888-423F-11D2-876E-00A0C9082467) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -
Safe. Entries found in this registry zone are potentially nasty. This application ([BA52B914-B692-46c4-B683-905236F6F655] - Result: BA52B914-B692-46c4-B683-905236F6F655) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator
Unknown The entered application AdaptecDirectCD was identified: None. Hit rate: 4 % (result) Unknown application.
5\DirectCD\DirectCD.exe"
Unknown running process. (DirectCD.exe")
This is a unknown process.

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
Safe. The entered application REGSHAVE was identified: RegShave. Hit rate: 15 % (result) Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Unknown The entered application SunJavaUpdateSched was identified: None. Hit rate: 8 % (result) Unknown application.
Files\Java\j2re1.4.2_04\bin\jusched.exe
Safe. running process. (jusched.exe)

Possibly nasty! According to our database this process runs normally in c:\program files\java\j2re1.4.2_05\bin\! Check if you know this process and arrange a viruscheck where required.
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
Safe. The entered application RealTray was identified: RealTray. Hit rate: 99 % (result) Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
Safe. The entered application QuickTime Task was identified: QuickTime Task. Hit rate: 99 % (result) Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common
Unknown The entered application AOLDialer was identified: None. Hit rate: 6 % (result) Unknown application.
Files\AOL\ACS\AOLDial.exe
Safe. running process. (AOLDial.exe)
Part of AOL
Possibly nasty! According to our database this process runs normally in c:\program files\gemeinsame dateien\aol\acs\! Check if you know this process and arrange a viruscheck where required.
O4 - HKLM\..\Run: [AOL Spyware Protection]
Safe. The entered application AOL Spyware Protection was identified: "SpywareGuard provides a real-time protection solu. Hit rate: 22 % (result)
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
Unknown running process. (AOLSPScheduler.exe")
This is a unknown process.

O4 - HKLM\..\Run: [Pure Networks Port Magic]
Unknown The entered application Pure Networks Port Magic was identified: None. Hit rate: 2 % (result) Unknown application.
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
Unknown running process. (PortAOL.exe"-Run)
This is a unknown process.

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"
Safe. The entered application VSOCheckTask was identified: VSOCheckTask. Hit rate: 99 % (result)
O4 - HKLM\..\Run: [VirusScan Online]
Unknown The entered application VirusScan Online was identified: SFIRM32 Online Banking software . Hit rate: 15 % (result) Unknown application.
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
Unknown running process. (mcvsshld.exe")
This is a unknown process.

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
Safe. The entered application MCAgentExe was identified: McAgentExe. Hit rate: 94 % (result)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
Safe. The entered application MCUpdateExe was identified: McUpdateExe. Hit rate: 94 % (result)
O4 - HKCU\..\Run: [Kow8RXGnl] pifninst.exe
Unknown The entered application Kow8RXGnl was identified: None. Hit rate: 14 % (result) Unknown application.
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\Program Files\Defender
Unknown The entered application Ashampoo PopUpBlocker was identified: None. Hit rate: 7 % (result) Unknown application.
Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
Safe. running process. (PopUpKiller.exe)

Possibly nasty! According to our database this process runs normally in c:\program files\popup killer\! Check if you know this process and arrange a viruscheck where required.
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Unknown The entered application 'America Online 9.0 Tray Icon.lnk (Program)' was identified: 'Kein ()'. Hit rate: 7 % (result) Unknown application.
Files\America Online 9.0b\aoltray.exe
Safe. running process. (aoltray.exe)
AOL Trayicon Not dangerous, but unnecessary.
Possibly nasty! According to our database this process runs normally in c:\program files\aol 9.0\! Check if you know this process and arrange a viruscheck where required.
O4 - Global Startup: Exif Launcher.lnk = ?
Unknown The entered application 'Exif Launcher.lnk (?)' was identified: 'Kein ()'. Hit rate: 8 % (result) Unknown application.
The entry is unnecessary and can be fixed.
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Nasty The entry &AOL Toolbar search has been identified as nasty.
O8 - Extra context menu item: E&xport to Microsoft Excel -
Safe. The entry E&xport to Microsoft Excel - has been identified as safe. If the entry 'E&xport to Microsoft Excel -' is not needed anymore, it should be fixed.
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
Possibly nasty Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry 'Research ' is unknown.
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
Safe. The entry Real.com has been identified as safe. If the entry 'Real.com ' is not needed anymore, it should be fixed.
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class)
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
Safe. This entry has been identified as safe.
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) -
Safe. This entry has been identified as safe.
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O23 - Service: AOL Connectivity Service - America Online, Inc. -
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service () was identified as a good one.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
Safe. running process. (AOLacsd.exe)
Part of AOL
Possibly nasty! According to our database this process runs normally in c:\programme\gemeinsame dateien\aol\acs! Check if you know this process and arrange a viruscheck where required.
O23 - Service: AOL Spyware Protection Service - Unknown - C:\Program
Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (Program)
Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
Safe. running process. (aolserv.exe)
AOL Privacy Protection Service
Possibly nasty! According to our database this process runs normally in files\common files\aol\aol spyware protection! Check if you know this process and arrange a viruscheck where required.
O23 - Service: McAfee.com McShield - Unknown -
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service () was identified as a good one.
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
Safe. running process. (mcshield.exe)
McAfee VirusScan
Possibly nasty! According to our database this process runs normally in c:\program files\network associates\virusscan\! Check if you know this process and arrange a viruscheck where required.
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service () was identified as a good one.
Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
Safe. running process. (mcupdmgr.exe)
McAfee Update Center
Possibly nasty! According to our database this process runs normally in c:\program files\mcafee.com\agent\! Check if you know this process and arrange a viruscheck where required.
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service () was identified as a good one.
Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
Safe. running process. (mcvsrte.exe)

Possibly nasty! According to our database this process runs normally in c:\program files\mcafee.com\vso\! Check if you know this process and arrange a viruscheck where required.
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. -
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service () was identified as a good one.
C:\WINDOWS\system32\pctspk.exe
Safe. running process. (pctspk.exe)
Modemtreiber



This log has been checked automatically.
Check your log file automatically at www.hijackthis.de.
Cropduster is offline  
Old 01-06-2005, 04:45 PM   #10
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,821
OS: Every Windows OS known to man


You did not use the Analyzer program linked to by greyknight17. This is from the HJT web site, which is not what we needed here.

Please follow the link he provided, run your log thru THAT Analyzer and repost. Thanks....
CTSNKY is offline  
Old 01-06-2005, 09:30 PM   #11
Guest
 
Join Date: Dec 2004
Posts: 20
OS:



Sorry, I missed that link from greyknight. Here is the result.txt from the proper link.

Log was analyzed using HijackThis Analyzer - Updated on 1/3/05
Get updates at https://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 6:02:31 PM, on 1/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jklwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [Kow8RXGnl] pifninst.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - https://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://download.av.aol.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - https://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/A...dwnldr_ext.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A5A0F6E-A778-47AA-9ABF-E8D9A544D533}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe


End of HijackThis Analyzer Log.
Cropduster is offline  
Old 01-07-2005, 09:28 PM   #12
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,821
OS: Every Windows OS known to man


Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). Also post the contents of the scandump log it creates.
CTSNKY is offline  
Old 01-08-2005, 03:49 PM   #13
Guest
 
Join Date: Dec 2004
Posts: 20
OS:



How do I locate the scandump log?

Here is the TDS-3 scan log

15:53:25 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
15:53:25 [Init] Started 08-01-05 15:53:25 Central Standard Time (UTC: 6), Internet Time @953.76
15:53:25 [Init] Loading TDS-3 Systems ...
15:53:25 [Init] Token successfully adjusted.
15:53:25 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
15:53:27 [Init] • Plugins : OK. Loaded 13
15:53:27 [Init] • Exec Protection : Not Installed
15:53:27 [Init] WARNING: Your Radius.TD3 database needs to be updated!
15:53:27 [Init] Please download the latest from https://tds.diamondcs.com.au/radius.td3
15:53:27 [Init] Licensed users can use the Update facility from the TDS menu
15:53:27 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
15:53:38 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
15:53:38 [Init] • Systems Initialised [44216 references - 20387 primaries/11695 traces/12134 variants/other]
15:53:38 [Init] Radius Systems loaded. <Databases updated 08-01-2005>
15:53:39 [Init] TDS-3 Ready. <[email protected] - United States>
15:53:39 [Tip Of The Day] DiamondCS have, and continue to develop a wide range of software, including the world's original and still the strongest BO2K scanner. Visit https://www.diamondcs.com.au for free downloads!
15:53:39 [TDS] Good afternoon Qdh.
15:53:52 [Mutex Memory Scan] Started...
15:53:54 [Mutex Memory Scan] Finished (no trojan mutexes found).
15:53:54 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
15:55:05 [CRC32] Started - verifying 29 files ...
15:55:09 [CRC32] File doesn't exist: C:\WINDOWS\System32\shell.dll
15:55:18 [CRC32] Test finished.
15:59:05 [Memory Scan] Memory scan started, please wait a moment ...
15:59:06 [Memory Scan] Memory scan complete.
15:59:06 [Mutex Memory Scan] Started...
15:59:09 [Mutex Memory Scan] Finished (no trojan mutexes found).
15:59:09 [Trace Scan] Started...
15:59:19 [Trace Scan] Finished.
15:59:19 [ServiceScan] Scanning for services and drivers ...
15:59:28 [ServiceScan] Scanned 285 services and drivers.
15:59:28 [File Scan] Scanning in A:\ ...
15:59:30 [File Scan] Scanned 0 files: 0 alarms in 1.371094 seconds (Avg 1. files/sec)
15:59:30 [File Scan] Scanning in C:\ ...
16:57:17 [File Scan] Scanned 35340 files: 46 alarms in 3467.285 seconds (Avg 11.19 files/sec)
16:57:17 [File Scan] Scanning in D:\ ...
16:57:18 [File Scan] Scanned 0 files: 46 alarms in 0.1640625 seconds (Avg 1. files/sec)
16:57:18 [File Scan] Scanning in E:\ ...
16:57:18 [File Scan] Scanned 0 files: 46 alarms in 0.0234375 seconds (Avg 1. files/sec)
Cropduster is offline  
Old 01-08-2005, 04:29 PM   #14
Guest
 
Join Date: Dec 2004
Posts: 20
OS:



Disregard messages on finding scandump file. I found it.

Scandump file

Scan Control Dumped @ 18:22:51 08-01-05
Positive identification (DLL): Trojan.Win32.HideProc.a (dll)
File: c:\documents and settings\qdh\local settings\temp\8b.tmp

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\8d.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa11.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa11.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa14.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa14.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa16.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa16.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa1a.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa1a.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa29.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa29.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa2d.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa2d.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa5.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa5.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa7.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa7.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa8.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa8.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa9.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa9.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sa94.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sa94.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\saa.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\saa.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\saac.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\saac.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sabd.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sabd.tmp.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\qdh\local settings\temp\sac.tmp.exe

Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\qdh\local settings\temp\sac.tmp.exe

Positive identification (DLL): Adware.Mxtarget (dll)
File: c:\documents and settings\qdh\local settings\temp\thi5c09.tmp\mxtarget.dll

Positive identification: TrojanDownloader.Win32.Apropo.p
File: c:\documents and settings\qdh\local settings\temp\~apropos0\ph.exe

Positive identification: Adware.Apropos.m
File: c:\documents and settings\qdh\local settings\temp\~apropos0\pm.exe

Positive identification (DLL): Trojan.Win32.EMT.a (dll)
File: c:\recycler\s-1-5-21-854245398-1343024091-1957994488-500\dc2.exe

Positive identification: TrojanDownloader.Win32.Tibser.c
File: c:\recycler\s-1-5-21-854245398-1343024091-1957994488-500\dc5.exe

Positive identification: TrojanDownloader.Win32.Apropo.p
File: c:\recycler\s-1-5-21-854245398-1343024091-1957994488-500\dc7.exe

Positive identification (DLL): TrojanDownloader.Win32.Briss.a (dll)
File: c:\recycler\s-1-5-21-854245398-1343024091-1957994488-500\dc1\bridgex.dll

Positive identification (DLL): Adware.MiniBug (dll)
File: c:\recycler\s-1-5-21-854245398-1343024091-1957994488-500\dc1\minibugtransporter.dll

Positive identification: TrojanDropper.Win32.Small.mr
File: c:\windows\bundles\saie1101.exe

Positive identification: Adware.BetterInternet
File: c:\windows\bundles\thin-8-1-x-x.exe

Positive identification: Adware.BargainBuddy.q
File: c:\windows\system32\exul.exe

Positive identification: Adware.BargainBuddy.q
File: c:\windows\system32\exul1.exe

Positive identification: Adware.BargainBuddy.q
File: c:\windows\system32\exul2.exe

Positive identification: Adware.BargainBuddy.q
File: c:\windows\system32\javexulm.vxd
Cropduster is offline  
Old 01-08-2005, 05:09 PM   #15
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,821
OS: Every Windows OS known to man


The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Boot to Safe Mode.
Go to My Computer->Tools/View->Folder Options->View tab and uncheck 'Hide protected operating system files'.

Delete these files (if they still exist):

File: c:\recycler\s-1-5-21-854245398-1343024091-1957994488-500\dc1\bridgex.dll
File: c:\recycler\s-1-5-21-854245398-1343024091-1957994488-500\dc1\minibugtransporter.dll
File: c:\recycler\s-1-5-21-854245398-1343024091-1957994488-500\dc2.exe
File: c:\recycler\s-1-5-21-854245398-1343024091-1957994488-500\dc5.exe
File: c:\recycler\s-1-5-21-854245398-1343024091-1957994488-500\dc7.exe
File: c:\windows\bundles\saie1101.exe
File: c:\windows\bundles\thin-8-1-x-x.exe
File: c:\windows\system32\exul.exe
File: c:\windows\system32\exul1.exe
File: c:\windows\system32\exul2.exe
File: c:\windows\system32\javexulm.vxd


Run CleanUp! again.

Reboot and report back on your problems.
CTSNKY is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:56 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts