Tech Support banner

Status
Not open for further replies.
1 - 20 of 21 Posts

·
Registered
Joined
·
11 Posts
Discussion Starter #1
CWS.homesearch has taken up residence on my family PC running XP Home SP1, with multiple users. The usual tools (adaware, ccleaner, yahoo anti-spy, spybot - search & destroy) can't remove this insidious invader.

Also, a dos window now opens up after logging in to the XP desktop and appears to do nothing other than suspend the loading of the desktop. At the top of the window the path is ...ppclean.exe.

Can you offer a plan of attack for either or both of these issues?
 

·
Administrator
Joined
·
4,870 Posts
Hi and welcome to TSF

You say you have run Adaware and Spybot Search and Destroy. Did you run Spybot version 1.4 and was your Adaware version 1.06 with the definitions updated? If not please run the following tools again. Download and update the databases on each program before running.

Download, install,and update Ewido Security Suite
  • Install Ewido Security Suite
  • Launch Ewido, there will be a big E icon on your desktop which you must double-click.
  • The program will prompt you to update so you need to click the OK button
  • The program will take you to the main screen
You must update Ewido with the latest definition files.
  • On the left hand side of the main screen click Update
  • Click on Start
The update will start and a progress bar will show the updates being installed. After the updates are installed, exit Ewido

Reboot into Safe Mode by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - Perform action on all infections. Choose clean then click [OK].
  • Once finished, click the [Save report] button and save the report to your desktop.
Close Ewido

Reboot back to normal mode.

Please download HijackThis. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file then come back and post it here, together with the Ewido report.
 

·
Registered
Joined
·
11 Posts
Discussion Starter #4
Horse - Thanks for your guidance. I have been unable to run adaware or spybot. My PC keeps freezing. Should I try to run these programs in Safe Mode?
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello helpontheway,

Yes, try running them in Safe Mode. If your computer still freezes, see what other steps you can complete in the instructions given by Horse.

Do what you can, then post the HijackThis log here.
 

·
Registered
Joined
·
11 Posts
Discussion Starter #7
Here are the Ewido and HJT logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:07:16 AM, 10/6/2005
+ Report-Checksum: E5BCFB33

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{67D02480-710B-80D7-0624-27BB57B32CDE} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{795714A8-C9C0-E8BD-30DB-A0DA3B603993} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E404F826-ABE4-D856-61BA-BCBD539933F8} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/WinServAdX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/WinServAdX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaLoads Enhanced -> Spyware.Downloadware : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned with backup
C:\Documents and Settings\Kathleen\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0B.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\Documents and Settings\Kathleen\Local Settings\Temp\9C.tmp -> Not-A-Virus.Hoax.SpyWare.a : Cleaned with backup
C:\Documents and Settings\Kathleen\Local Settings\Temp\9C.tmp.exe -> Not-A-Virus.Hoax.SpyWare.a : Cleaned with backup
C:\Downloads\Monopoly3-dm[1].exe -> Spyware.Trymedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrojanDownloader.Rameh.c : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> Spyware.MediaPops : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA3.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAC.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBB.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00264131.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264546.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264561.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264562.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264597.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264598.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264599.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264610.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264622.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264623.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264698.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264699.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264700.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264701.TXT -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\NPROTECT\00264702.TXT -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\NPROTECT\00264707.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264708.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264716.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264717.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264722.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264723.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264730.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264731.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264737.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264738.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264743.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264744.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00264762.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264763.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264764.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264765.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264766.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264770.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264771.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264772.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264773.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264774.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264775.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264776.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264783.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264784.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264785.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264786.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264787.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264788.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264789.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264796.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264797.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264798.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264799.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264800.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264801.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264802.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00264864.TXT -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\NPROTECT\00360294.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00360295.TXT -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\NPROTECT\00360296.TXT -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\NPROTECT\00360297.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00360298.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00360387.TXT -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\NPROTECT\00360688.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00360689.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00360690.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00360691.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00360692.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00361009.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00361016.TXT -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\NPROTECT\00361283.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361285.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361286.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361287.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361288.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361289.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361292.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361293.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361294.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361295.dll -> Spyware.SearchPage : Cleaned with backup
C:\RECYCLER\NPROTECT\00361317.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361318.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361320.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00361321.dll -> Spyware.SearchPage : Cleaned with backup
C:\RECYCLER\NPROTECT\00361325.exe -> Trojan.Small.cy : Cleaned with backup
C:\RECYCLER\NPROTECT\00361334.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0179890.INI:clxeva -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0179916.OLD:csuzx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0179921.OLD:csuzx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0179922.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0179925.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0179927.prx:yeugkp -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0179929.INI:clxeva -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0179930.INI:iwqjnh -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180212.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180213.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180214.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180215.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180216.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180217.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180218.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180219.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180220.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180221.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180222.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180223.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180224.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180225.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180226.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180227.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180228.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180229.prx:yeugkp -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180231.INI:clxeva -> Spyware.SearchPage : Cleaned with backup
C:\temp\SAHPackage.exe -> Adware.SAHA : Cleaned with backup
C:\temp\SearchRelevancy.exe -> Spyware.Relevance.b : Cleaned with backup
C:\temp\VegasFrontier.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\20AC.tmp:rfnpzn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\20DA.tmp:aiaxmz -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\7097.tmp:umbgkh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\733B.tmp:liabdw -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\73BD.tmp:azaipr -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\73F0.tmp:uviaxq -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\741.tmp:punzfs -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\743E.tmp:ppahae -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\748A.tmp:tkkgut -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\7493.tmp:wmgelq -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\79B7.tmp:imdaq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\7C0F.tmp:wpjwh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\addse.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appmj32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\CA9.tmp:evbmk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\crie32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crnk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\inst2.dll -> TrojanDownloader.WinShow.az : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WinServAdX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\iaxmz.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\ievx.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iphq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javabk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javadu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javalm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfchk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfchm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\MPLAYER.REG:bbekzu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mssh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mssz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntaj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\opt_2460.ini:eek:etnsu -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Recorder.dat:fnsosj -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\REGLOCS.OLD:csuzx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdkmd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysmh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ biD.exe/bi.dll -> Trojan.Bispy.A : Error during cleaning
C:\WINDOWS\SYSTEM32\ biD.exe/biprep.exe -> Trojan.Bispy.B : Error during cleaning
C:\WINDOWS\SYSTEM32\ biD.exe/bi.dll -> Trojan.Bispy.A : Error during cleaning
C:\WINDOWS\SYSTEM32\ biD.exe/biprep.exe -> Trojan.Bispy.B : Error during cleaning
C:\WINDOWS\SYSTEM32\addoy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apijw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apisy.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlxr32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\biD.exe/bi.dll -> Trojan.Bispy.A : Error during cleaning
C:\WINDOWS\SYSTEM32\biD.exe/biprep.exe -> Trojan.Bispy.B : Error during cleaning
C:\WINDOWS\SYSTEM32\biD.exe/bi.dll -> Trojan.Bispy.A : Error during cleaning
C:\WINDOWS\SYSTEM32\biD.exe/biprep.exe -> Trojan.Bispy.B : Error during cleaning
C:\WINDOWS\SYSTEM32\crep32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crkw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ietz32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\in9bDs.dll/bi.dll -> Trojan.Bispy.A : Error during cleaning
C:\WINDOWS\SYSTEM32\in9bDs.dll/biprep.exe -> Trojan.Bispy.B : Error during cleaning
C:\WINDOWS\SYSTEM32\in9bDs.dll/bi.dll -> Trojan.Bispy.A : Error during cleaning
C:\WINDOWS\SYSTEM32\in9bDs.dll/biprep.exe -> Trojan.Bispy.B : Error during cleaning
C:\WINDOWS\SYSTEM32\in9bDs.dlltmp -> Adware.eZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipro.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcmj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntoj.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkaa32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysoq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\syswo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winvd32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\tiscali_it_2.ico:apmnmz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\VBADDIN.INI:iwqjnh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\wiaservc.log:rjuyjs -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winxi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\WMSysPr9.prx:yeugkp -> Trojan.Agent.bi : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 6:55:41 AM, on 10/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\RioMSC.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~2\NORTON~3\navapw32.exe
C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~3\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ezzufuk] C:\Program Files\Nzsyaxk\Aiaic.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - http://livesc03.rightnowtech.com/audible/audible/rnt/rnl/java/RntX.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hi,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Do not run it yet.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\ biD.exe/bi.dll
C:\WINDOWS\SYSTEM32\ biD.exe/biprep.exe
C:\WINDOWS\SYSTEM32\ biD.exe/bi.dll
C:\WINDOWS\SYSTEM32\ biD.exe/biprep.exe
C:\WINDOWS\SYSTEM32\in9bDs.dll/bi.dll
C:\WINDOWS\SYSTEM32\in9bDs.dll/biprep.exe
C:\WINDOWS\SYSTEM32\in9bDs.dll/bi.dll
C:\WINDOWS\SYSTEM32\in9bDs.dll/biprep.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Nzsyaxk

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ezzufuk] C:\Program Files\Nzsyaxk\Aiaic.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe


Delete the following Folder:

C:\Program Files\Nzsyaxk

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
-Empty Recycle Bins
-Temporary Internet Files
-Delete Cookies
-Delete Prefetch files
-[X]Scan local drives for temporary files (Please uncheck this option)
-Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

From Normal Mode:

Perform an online scan using Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply along with a new HijackThis lof.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
11 Posts
Discussion Starter #9
Only the first file name would paste into KillBox. When I start KillBox, the title above the menu bar says "Pocket KillBox". Did I download the wrong file?
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
You're ok, you downloaded the proper tool. :smile:

If you can't get all the files to paste over, then copy/paste them one at a time, using the same setup as above:

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
While it can take quite some time, scanning only 7 files in half an hour is a bit tedious. Let's try another online scanner:

Perform an online scan with Internet Explorer with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
*The program will launch and then begin downloading the latest definition files:
*Once the files have been downloaded click on NEXT
*Now click on Scan Settings
*In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:
*Standard
*Scan Options:
*Scan Archives
*Scan Mail Bases
*Click OK
*Now under select a target to scan:
*Select My Computer
*This will program will start and scan your system.
*The scan will take a while so be patient and let it run.
*Once the scan is complete it will display if your system has been infected.
*Now click on the Save as Text button:
*Save the file to your desktop.
*Copy and paste that information in your next post.
 

·
Registered
Joined
·
11 Posts
Discussion Starter #13
Here are the Kaspersky and HJT logs:


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 06, 2005 17:36:27
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/10/2005
Kaspersky Anti-Virus database records: 143491
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 165476
Number of viruses found: 9
Number of infected objects: 212
Number of suspicious objects: 0
Duration of the scan process: 12588 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe/data0004 Infected: Trojan-Downloader.Win32.Keenval.n
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe/data0006/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe/data0006/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe/data0006/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe/data0006/data0002 Infected: Trojan-Downloader.Win32.Keenval
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe/data0006/data0008 Infected: Trojan-Downloader.Win32.Keenval.n
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe/data0006/data0009 Infected: Trojan-Downloader.Win32.Keenval
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe/data0006 Infected: Trojan-Downloader.Win32.Keenval
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe/data0011/data0003 Infected: Trojan-Downloader.Win32.Keenval.n
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe/data0011 Infected: Trojan-Downloader.Win32.Keenval.n
C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe Infected: Trojan-Downloader.Win32.Keenval.n
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0EC67854.exe Infected: Worm.Win32.Lovesan.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DAD222D.tmp Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B882378.exe Infected: Worm.Win32.Lovesan.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4BD36925.exe Infected: Worm.Win32.Lovesan.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4BF40D01.exe Infected: Worm.Win32.Lovesan.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\56EC18EF.exe Infected: Worm.Win32.Lovesan.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\572A36AA.exe Infected: Worm.Win32.Lovesan.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\574E0483.exe Infected: Worm.Win32.Lovesan.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\575B2C74.exe Infected: Worm.Win32.Lovesan.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57B74410.exe Infected: Worm.Win32.Lovesan.a
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180257.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180258.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180259.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180260.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180261.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180262.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180263.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180264.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180265.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180267.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180268.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180269.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180271.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180272.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180273.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180274.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180275.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180276.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180278.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180279.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180280.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180281.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180282.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180283.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180284.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180285.REG:bbekzu:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180286.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180287.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180288.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180289.ini:eek:etnsu:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180290.OLD:csuzx:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180291.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180292.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180293.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180294.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180295.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180296.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180297.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180298.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180299.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180300.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180301.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180302.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180303.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180304.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180305.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180306.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180307.ico:apmnmz:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180308.INI:iwqjnh:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180309.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP725\A0180310.prx:yeugkp:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\apiib.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\apipd32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\apipf.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\apiqg32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\apitq.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\apixz.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\apizv.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\appmk.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\appys32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\appzk32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\atlad.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\atlcb32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\atldj32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\atlkf32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\crch.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\crcq.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\crdc32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\crey.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\crqr32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\crsa32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\crst.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\crts32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\d3fe32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\d3jw.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ieev.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\iejl.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\iesq32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ipaj.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ipbg.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ipnr.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\javafa32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\javaii.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\javaqo32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\javasx32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\javavc32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\mfckz32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\mfcvk.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\mfcwq.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\msca.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\msfl.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\msjv.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\msny.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\netps.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\netrc32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\netst32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\netvl32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\netyv.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\netzw.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ntid32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ntrc32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ntsa32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\nttn.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ntwl32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ntxy.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\PPI.INI:wjkwaf:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\Rhododendron.bmp:xocbmt:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\sdkar.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\sdkaz32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\sdkmr.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\sdkpz32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\sdkyq32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\sysnd.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\syspk.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ biD.exe Infected: Trojan-Dropper.Win32.Agent.og
C:\WINDOWS\SYSTEM32\addts32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\adduy.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\apilu.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\apixl.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\appcr32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\appfg32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\appyx.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\atlft32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\atlgh.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\atlmo32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\atlna32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\atltm.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\atlvp.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\atlwn32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\atlzg.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\biD.exe Infected: Trojan-Dropper.Win32.Agent.og
C:\WINDOWS\SYSTEM32\crbz.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\crfl.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\crio32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\crop32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\crpc.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\crre32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\crup.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\d3hz.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\d3lf.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ietn.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ipkf32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ipxo.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\javapn32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\javasr32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\javaub32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\javawr32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\mfcei32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\mfcrv.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\mfcwi.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\mfcyr.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\msds.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\msgc.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\mstn32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\netwg.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\netyi.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\netyu.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ntkx.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ntlb.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ntrc32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ntub32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ntvs.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ntwg32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ntwv32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\ntxt32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\SYSTEM32\ntyw32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\sdkcj32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\sdkcv32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\sdkhg.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\sdkhu.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\sdkli32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\sdkyg.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\sdkyp32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\sysbe32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\sysia.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\syslu32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\sysod32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\windx.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\winov.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\SYSTEM32\winph.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\winab32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\winag32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\winbn32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\winlb32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\winmt.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\winng.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\winpm.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\winrj.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\wintf.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\winvz32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\Zapotec.bmp:rxflez:$DATA Infected: Trojan-Downloader.Win32.Agent.bq

Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 7:19:51 PM, on 10/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~2\NORTON~3\navapw32.exe
C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\RioMSC.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~3\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - http://livesc03.rightnowtech.com/audible/audible/rnt/rnl/java/RntX.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Ok, we have a bit of work to do here. :smile:

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below.

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Please check for Ewido updates once again.

Before we begin, please do the following:

Empty the Norton Recycle Bin
Empty the Norton Quarantine Folder --just the contents, not the folder itself

Turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Now reenable system restore by repeating the previous step and Uncheck "Turn off System Restore". It should automatically create a new restore point for you. (It will tell you it is doing so)

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\Documents and Settings\Kathleen\My Documents\CrazyCoins.exe
C:\WINDOWS\apiib.exe
C:\WINDOWS\apipd32.exe
C:\WINDOWS\apipf.exe
C:\WINDOWS\apiqg32.exe
C:\WINDOWS\apitq.exe
C:\WINDOWS\apixz.exe
C:\WINDOWS\apizv.exe
C:\WINDOWS\appmk.exe
C:\WINDOWS\appys32.exe
C:\WINDOWS\appzk32.exe
C:\WINDOWS\atlad.exe
C:\WINDOWS\atlcb32.exe
C:\WINDOWS\atldj32.exe
C:\WINDOWS\atlkf32.exe
C:\WINDOWS\crch.exe
C:\WINDOWS\crcq.exe
C:\WINDOWS\crdc32.exe
C:\WINDOWS\crey.exe
C:\WINDOWS\crqr32.exe
C:\WINDOWS\crsa32.exe
C:\WINDOWS\crst.exe
C:\WINDOWS\crts32.exe
C:\WINDOWS\d3fe32.exe
C:\WINDOWS\d3jw.exe
C:\WINDOWS\ieev.exe
C:\WINDOWS\iejl.exe
C:\WINDOWS\iesq32.exe
C:\WINDOWS\ipaj.exe
C:\WINDOWS\ipbg.exe
C:\WINDOWS\ipnr.exe
C:\WINDOWS\javafa32.exe
C:\WINDOWS\javaii.exe
C:\WINDOWS\javaqo32.exe
C:\WINDOWS\javasx32.exe
C:\WINDOWS\javavc32.exe
C:\WINDOWS\mfckz32.exe
C:\WINDOWS\mfcvk.exe
C:\WINDOWS\mfcwq.exe
C:\WINDOWS\msca.exe
C:\WINDOWS\msfl.exe
C:\WINDOWS\msjv.exe
C:\WINDOWS\msny.exe
C:\WINDOWS\netps.exe
C:\WINDOWS\netrc32.exe
C:\WINDOWS\netst32.exe
C:\WINDOWS\netvl32.exe
C:\WINDOWS\netyv.exe
C:\WINDOWS\netzw.exe
C:\WINDOWS\ntid32.exe
C:\WINDOWS\ntrc32.exe
C:\WINDOWS\ntsa32.exe
C:\WINDOWS\nttn.exe
C:\WINDOWS\ntwl32.exe
C:\WINDOWS\ntxy.exe
C:\WINDOWS\sdkar.exe
C:\WINDOWS\sdkaz32.exe
C:\WINDOWS\sdkmr.exe
C:\WINDOWS\sdkpz32.exe
C:\WINDOWS\sdkyq32.exe
C:\WINDOWS\sysnd.exe
C:\WINDOWS\syspk.exe
C:\WINDOWS\SYSTEM32\addts32.exe
C:\WINDOWS\SYSTEM32\adduy.exe
C:\WINDOWS\SYSTEM32\apilu.exe
C:\WINDOWS\SYSTEM32\apixl.exe
C:\WINDOWS\SYSTEM32\appcr32.exe
C:\WINDOWS\SYSTEM32\appfg32.exe
C:\WINDOWS\SYSTEM32\appyx.exe
C:\WINDOWS\SYSTEM32\atlft32.exe
C:\WINDOWS\SYSTEM32\atlgh.exe
C:\WINDOWS\SYSTEM32\atlmo32.exe
C:\WINDOWS\SYSTEM32\atlna32.exe
C:\WINDOWS\SYSTEM32\atltm.exe
C:\WINDOWS\SYSTEM32\atlvp.exe
C:\WINDOWS\SYSTEM32\atlwn32.exe
C:\WINDOWS\SYSTEM32\atlzg.exe
C:\WINDOWS\SYSTEM32\biD.exe
C:\WINDOWS\SYSTEM32\ biD.exe
C:\WINDOWS\SYSTEM32\crbz.exe
C:\WINDOWS\SYSTEM32\crfl.exe
C:\WINDOWS\SYSTEM32\crio32.exe
C:\WINDOWS\SYSTEM32\crop32.exe
C:\WINDOWS\SYSTEM32\crpc.exe
C:\WINDOWS\SYSTEM32\crre32.exe
C:\WINDOWS\SYSTEM32\crup.exe
C:\WINDOWS\SYSTEM32\d3hz.exe
C:\WINDOWS\SYSTEM32\d3lf.exe
C:\WINDOWS\SYSTEM32\ietn.exe
C:\WINDOWS\SYSTEM32\ipkf32.exe
C:\WINDOWS\SYSTEM32\ipxo.exe
C:\WINDOWS\SYSTEM32\javapn32.exe
C:\WINDOWS\SYSTEM32\javasr32.exe
C:\WINDOWS\SYSTEM32\javaub32.exe
C:\WINDOWS\SYSTEM32\javawr32.exe
C:\WINDOWS\SYSTEM32\mfcei32.exe
C:\WINDOWS\SYSTEM32\mfcrv.exe
C:\WINDOWS\SYSTEM32\mfcwi.exe
C:\WINDOWS\SYSTEM32\mfcyr.exe
C:\WINDOWS\SYSTEM32\msds.exe
C:\WINDOWS\SYSTEM32\msgc.exe
C:\WINDOWS\SYSTEM32\mstn32.exe
C:\WINDOWS\SYSTEM32\netwg.exe
C:\WINDOWS\SYSTEM32\netyi.exe
C:\WINDOWS\SYSTEM32\netyu.exe
C:\WINDOWS\SYSTEM32\ntkx.exe
C:\WINDOWS\SYSTEM32\ntlb.exe
C:\WINDOWS\SYSTEM32\ntrc32.exe
C:\WINDOWS\SYSTEM32\ntub32.exe
C:\WINDOWS\SYSTEM32\ntvs.exe
C:\WINDOWS\SYSTEM32\ntwg32.exe
C:\WINDOWS\SYSTEM32\ntwv32.exe
C:\WINDOWS\SYSTEM32\ntxt32.exe
C:\WINDOWS\SYSTEM32\ntyw32.exe
C:\WINDOWS\SYSTEM32\sdkcj32.exe
C:\WINDOWS\SYSTEM32\sdkcv32.exe
C:\WINDOWS\SYSTEM32\sdkhg.exe
C:\WINDOWS\SYSTEM32\sdkhu.exe
C:\WINDOWS\SYSTEM32\sdkli32.exe
C:\WINDOWS\SYSTEM32\sdkyg.exe
C:\WINDOWS\SYSTEM32\sdkyp32.exe
C:\WINDOWS\SYSTEM32\sysbe32.exe
C:\WINDOWS\SYSTEM32\sysia.exe
C:\WINDOWS\SYSTEM32\syslu32.exe
C:\WINDOWS\SYSTEM32\sysod32.exe
C:\WINDOWS\SYSTEM32\windx.exe
C:\WINDOWS\SYSTEM32\winov.exe
C:\WINDOWS\SYSTEM32\winph.exe
C:\WINDOWS\winab32.exe
C:\WINDOWS\winag32.exe
C:\WINDOWS\winbn32.exe
C:\WINDOWS\winlb32.exe
C:\WINDOWS\winmt.exe
C:\WINDOWS\winng.exe
C:\WINDOWS\winpm.exe
C:\WINDOWS\winrj.exe
C:\WINDOWS\wintf.exe
C:\WINDOWS\winvz32.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Run CWShredder. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy
Checkmark/tick - "Ignore Safe System Info Streams"
Click the "Scan" button
When it has finished scanning, checkmark/tick all that it found
Click the "remove selected" button

Run Ewido:
*Click [Scanner]
*Click [Complete System Scan] to begin scanning.
*Click [OK] when prompted to clean files

With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].

Once finished, click the [Save report] button
Save the report to your desktop
Close Ewido

Reboot into Normal Mode.

Run another online scan at Kaspersky and post the results here along with a new HijackThis log , the AB LogFile.txt and the results of the Ewido scan.
 

·
Registered
Joined
·
11 Posts
Discussion Starter #15
Ried - Obviously this is going to take some time. I won't be able to start on this until tonight, and I'm not sure when I'll be finished. Some of those scans take hours to complete. Thanks for your continuing support, perseverance and understanding. I really appreciate you hanging in there with me!
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
That's fine. Get to it as soon as you can, just keep any internet activity limited to this fix. We'll be here to see you through this. :wink:
 

·
Registered
Joined
·
11 Posts
Discussion Starter #17
I had some trouble with AboutBuster and KillBox.

When I tried to update AboutBuster I got a runtime error '5' - invalid procedure call or argument. I was then unable to run the program. I tried reloading a couple of times and was able eventually to run it, in normal mode, but I still couldn't update it.

I also couldn't run KillBox in safe mode, just in normal mode.

Also, the order in which I ran the programs may not have been as you instructed, because of the problems with AB and KillBox.

Anyway, here are the log files...


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, October 08, 2005 10:55:50
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 8/10/2005
Kaspersky Anti-Virus database records: 143704
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 165089
Number of viruses found: 1
Number of infected objects: 129
Number of suspicious objects: 0
Duration of the scan process: 9980 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181519.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181520.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181521.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181523.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181524.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181525.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181527.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181528.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181529.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181530.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181531.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181532.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181533.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181534.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181535.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181536.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181537.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181538.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181539.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181541.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181542.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181543.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181544.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181545.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181546.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181547.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181548.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181549.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181550.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181551.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181552.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181553.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181554.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181555.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181556.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181557.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181559.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181560.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181561.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181562.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181563.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181564.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181565.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181566.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181567.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181568.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181569.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181570.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181571.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181572.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181573.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181574.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181575.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181577.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181578.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181579.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181580.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181581.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181582.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181583.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181584.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181585.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181586.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181587.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181588.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181589.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181590.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181591.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181592.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181593.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181594.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181597.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181598.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181599.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181600.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181601.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181602.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181603.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181604.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181605.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181606.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181607.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181608.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181609.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181610.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181611.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181612.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181613.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181614.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181615.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181616.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181617.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181618.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181619.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181620.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181621.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181622.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181623.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181624.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181625.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181626.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181627.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181628.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181629.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181631.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181632.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181633.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181634.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181635.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181636.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181637.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181638.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181639.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181640.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181641.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181642.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181643.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181644.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181645.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181646.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181647.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181648.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181649.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181650.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181651.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181653.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181654.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181655.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181678.INI:wjkwaf:$DATA Infected: Trojan-Downloader.Win32.Agent.bq

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 11:01:03 PM, on 10/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~3\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - http://livesc03.rightnowtech.com/audible/audible/rnt/rnl/java/RntX.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



boutBuster 5.0 reference file 30
Scan started on [10/7/2005] at [10:57:09 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\Windows\System32\kqtvc.dat
Removed File! : C:\Windows\System32\rrrgb.dat
Removed File! : C:\Windows\System32\vzmcr.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:57:33 PM



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:55:47 AM, 10/8/2005
+ Report-Checksum: 23AB856B

+ Scan result:

C:\Documents and Settings\Brian\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\[email protected][2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Kathleen\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0B.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181522.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181526.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181540.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181558.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181576.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181595.exe/bi.dll -> Trojan.Bispy.A : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181595.exe/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181595.exe/bi.dll -> Trojan.Bispy.A : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181595.exe/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181596.exe/bi.dll -> Trojan.Bispy.A : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181596.exe/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181596.exe/bi.dll -> Trojan.Bispy.A : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181596.exe/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181630.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP728\A0181652.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\in9bDs.dll/bi.dll -> Trojan.Bispy.A : Cleaned with backup
C:\WINDOWS\SYSTEM32\in9bDs.dll/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
C:\WINDOWS\SYSTEM32\in9bDs.dll/bi.dll -> Trojan.Bispy.A : Cleaned with backup
C:\WINDOWS\SYSTEM32\in9bDs.dll/biprep.exe -> Trojan.Bispy.B : Cleaned with backup


::Report End
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Your logs appear clean. How are things running now? Are you still getting this message:
Also, a dos window now opens up after logging in to the XP desktop and appears to do nothing other than suspend the loading of the desktop. At the top of the window the path is ...ppclean.exe.
If so, do you have PestPatrol installed on this PC?
 

·
Registered
Joined
·
11 Posts
Discussion Starter #19
We've been limiting our use of this PC to Yahoo mail, but so far no new problems.

As for PestPatrol being loaded on this PC - I've never heard of it and I don't see it in the "Add or Remove Programs" list. Is it something we should have loaded?

Thanks for remembering this from my first post.
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
No, it's not necessary to have Pest Patrol on your system. I was asking because that file, ppclean.exe, is normally associated with that program but can also be associated with Yahoo.

Do you still get that error message? :smile: If not, you should be good to go after completing these final instructions:

Reset hidden/system files and folders

Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from any previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? http://forums.net-integration.net/index.php?showtopic=3051

THE ANTI-SPYWARE TUTORIAL http://www.greyknight17.com/spyware.htm#prevent

MAKING INTERNET EXPLORER SAFER http://www.bleepingcomputer.com/forums/Making_Internet_Explorer_Safer-tut102.html

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Microsoft Windows Update
Visit windowsupdate.com http://www.windowsupdate.com/ regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Firefox www.mozilla.org/products/firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

Sun's Java http://java.com/en/index.jsp - It's much more secure than Microsoft's Java Virtual Machine.
 
1 - 20 of 21 Posts
Status
Not open for further replies.
Top