Desperate help before this crashes!

ChampCar · Aug 24, 2005

I have lurked here for months, enjoy and admire peoples help here, now I need and ask for help (HJT log below). I have tried EVERYTHING for weeks to remove it, no luck. I'm 99% sure this very virus/spyware destroyed my bootsector 2 months ago, I had the exact same problem. Comcast 6mb speeds are beeing affected. Below are the suspicious screenshots that pop-up. I don't use windows firewall, I use ZoneAlarm and only allow Mozilla outside access.

I've used everything below, with current, up to date definitions in all software. I have also performed all the actions in safe mode as well but with no luck, it just keeps coming back.

Windows Washer (latest) cleaning on a regular basis.
ZoneAlarm running
Symantec Antivirus Corp. (up to date defs, scans every night)
Giant Antivrus (up to date, scans everynight)
Spybot (finds 34 entries, once removed, they come back an hour later)
Ad-Aware

Suspicious screenshots:
---

HJT log:
---

Logfile of HijackThis v1.99.1
Scan saved at 9:02:10 AM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\WINDOWS\system32\ntyq.exe ?
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\sdkwj32.exe ?
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\cba\pds.exe ?
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wwSecure.exe
C:\WINDOWS\system32\cba\xfr.exe ?
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\ARUBA\LOCALS~1\Temp\nss107.tmp\DivXComponentInstaller.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\WinAVIVideoConverter\WinAVI.exe
C:\WINDOWS\System32\divxsm.exe
C:\Documents and Settings\ARUBA\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\scpwl.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\scpwl.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nqzto.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nqzto.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nqzto.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nqzto.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {48DE1A42-3EF5-DB06-87B8-045BD9160320} - C:\WINDOWS\system32\d3yr32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [ntvg32.exe] C:\WINDOWS\ntvg32.exe
O4 - HKLM\..\Run: [apptn.exe] C:\WINDOWS\system32\apptn.exe
O4 - HKLM\..\Run: [ntyq.exe] C:\WINDOWS\system32\ntyq.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak3\PopUp Blocker.exe
O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak3\PopUp Blocker.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119640689375
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

sUBs · Aug 24, 2005

Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp!.exe - Install

About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed.

CWShredder.exe

Open CWShredder and click - I AGREE
Click - Check For Update
Close CWShredder after updating

Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Next, reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\scpwl.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\scpwl.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nqzto.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nqzto.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nqzto.dll/sp.html#14044

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nqzto.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {48DE1A42-3EF5-DB06-87B8-045BD9160320} - C:\WINDOWS\system32\d3yr32.dll
O4 - HKLM\..\Run: [ntvg32.exe] C:\WINDOWS\ntvg32.exe
O4 - HKLM\..\Run: [apptn.exe] C:\WINDOWS\system32\apptn.exe
O4 - HKLM\..\Run: [ntyq.exe] C:\WINDOWS\system32\ntyq.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

Checkmark/tick - "Ignore Safe System Info Streams"
Click the "Scan" button
When it has finished scanning, checkmark/tick all that it found
Click the "remove selected" button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
[*]Delete Newsgroup Subscriptions
[*]Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run CWShredder & click on Fix.

Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Ewido with it's updated definitions

...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan

Click [Scan your PC] & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click [Scan Now]
Enter your e-mail address & click [Scan Now] ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Double-click the tmas-web-scan.exe icon
It will say "Loading TrendMicro definitions".
Click "Start Scan"

After it's done scanning, click "Scan Results"

Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:

HiJackThis
[*] Online scan
[*] Antispyware.log
[*] About Buster
[*] Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

ChampCar · Aug 24, 2005

THANK YOU so much. Gonna print that out and have a go right now.
Its nasty, I just deleted this stuff, it came back within 45 minutes!
I will be all over this thread, thanks a ton!
Spybot:

ChampCar · Aug 24, 2005

sUBs
Update. While you must have been replying, I re-ran spybot/Ad-aware, and my HJT had changed since then, I realised that when I got into safe mode in your steps, and didn't see the exact match on the R1 lines, so I stopped instead of assuming. I've printed your instructions out, d/l - installed as instructions say and ready to go, new HJT log (which I ran after booting back out safemode):

Logfile of HijackThis v1.99.1
Scan saved at 2:42:57 PM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\netkm32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wwSecure.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Documents and Settings\ARUBA\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ntkbo.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ntkbo.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ntkbo.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ntkbo.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ntkbo.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ntkbo.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {48DE1A42-3EF5-DB06-87B8-045BD9160320} - C:\WINDOWS\system32\d3yr32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [ntvg32.exe] C:\WINDOWS\ntvg32.exe
O4 - HKLM\..\Run: [apptn.exe] C:\WINDOWS\system32\apptn.exe
O4 - HKLM\..\Run: [ntyq.exe] C:\WINDOWS\system32\ntyq.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [netkm32.exe] C:\WINDOWS\netkm32.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak3\PopUp Blocker.exe
O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak3\PopUp Blocker.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119640689375
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe

Ried · Aug 25, 2005

Hello ChampCar,

The file name in those R0 and R1 entries will change everytime you reboot.

Add this instruction to the list just after you download and install Ewido--(don't run it yet) and reboot into Safe Mode.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one if they are still listed (they shouldn't be - but double check it):(You must kill them one at a time).

C:\WINDOWS\netkm32.exe

Continue with the rest of the instructions in the same order as given:

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

and Add this line to your HJT fixes:

O4 - HKLM\..\Run: [netkm32.exe] C:\WINDOWS\netkm32.exe

Then proceed with the remaining instructions by sUBs

ChampCar · Aug 25, 2005

Wow. How in the hell am I so infected?! I religously have Ad-aware, Norton, Spybot and Giant - updated everyday and scan everynight around 3:00am. AND have Norton Corp. running in the background, auto updated that scans every night!

Well, I'm still running the online Panda currently. As of now, it see's two spyware, 1 suspicous. I'll post that log. Meanwhile, heres HJT first, Ewido! second (I'll need to explain something that happened). In the instruction, I failed to UNCHECK in the program Cleanup! "Scan local drives for temporary files" Well, it started and I saw important files being deleted (windows temps etc), it got to 800 and I hit stop. DAMN. Everything looks OK on the reboot, except my windows toolbars are all plain, and looking in appearences, it looks like the chromey options are deleted (changing the look of the start bar).

HJT just done:
Logfile of HijackThis v1.99.1
Scan saved at 7:14:35 PM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wwSecure.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Ahead\Nero Toolkit\DriveSpeed.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ARUBA\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: gameutil.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak3\PopUp Blocker.exe
O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak3\PopUp Blocker.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119640689375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched

Ewido! (F: DISK IS MY OLD SLAVE DRIVE, THAT WAS A PRIMARY!)

+ Created on: 5:32:59 PM, 8/24/2005
+ Report-Checksum: 8F7B6FCF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EFC71F6E-8006-6787-AAD0-B50964B31181} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\ARUBA\Desktop\hijackthis\backups\backup-20050824-150323-899.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\34B5DD0F-A3BE-4434-8085-3F4FE6\764C93ED-0C22-45E2-85E7-6F9667 -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C573DBEE-71E0-49A4-ADA2-FB5E38\5888CBA5-0917-4168-88A1-5150A3 -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\AC3API.INI:yeeen -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\netkm32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:aehyql -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:vmpqq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\River Sumida.bmp:fnsim -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sessmgr.setup.log:yqqbk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\setupapi.log:ntcck -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\setuplog.txt:jjbtg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\setuplog.txt:sjhtnf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Soap Bubbles.bmp:gtvpel -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32

oaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\tabletoc.log:rtxdyu -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\tabletoc.log:yufvgw -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\vbaddin.ini:lvydph -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\VPC32.INI:jupqse -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wiaservc.log:dwiijj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wiaservc.log:ngzyr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\wmsetup.log:yhcrn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:hzhdm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:lbqbu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:lcdbk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:sllug -> TrojanDownloader.Agent.bq : Cleaned with backup
:mozilla.21:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.22:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.23:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.24:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.38:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.40:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.41:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.52:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.53:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.54:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.55:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.57:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.58:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.59:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.60:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.66:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.72:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.73:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.74:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.75:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.76:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.77:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.78:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.79:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.80:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.81:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.82:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.83:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.84:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.85:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.91:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.92:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.93:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.94:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.95:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.112:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.114:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.124:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.125:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.126:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.127:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.128:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.136:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.137:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.138:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.139:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.140:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.141:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.145:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.146:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.147:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.148:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.153:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.154:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.155:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.156:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.158:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.172:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.173:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.174:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.175:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.176:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.182:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.184:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.185:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.186:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.191:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.192:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.207:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.208:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.215:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.216:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.217:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.218:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.219:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.220:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.221:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.222:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.241:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.242:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.243:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.244:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.255:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.256:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.259:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.272:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.273:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.279:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.284:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.298:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.299:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.301:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.315:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.316:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.317:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.318:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.327:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.328:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.329:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.336:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.337:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.353:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.359:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
:mozilla.365:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.366:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.367:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.368:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.377:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.387:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.402:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.407:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.408:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.409:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.418:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.419:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.420:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.425:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.426:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.430:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.434:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.437:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.438:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.443:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.445:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.449:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.451:F:\Documents and Settings\GUMPY\Application Data\Mozilla\Firefox\Profiles\j9n8wbp1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\Documents and Settings\GUMPY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-50acf5a2-46e65d98.class -> Trojan.Java.Femad : Cleaned with backup
F:\found.000\file0000.chk:apkcvy -> TrojanDownloader.Agent.bc : Cleaned with backup
F:\found.000\file0000.chk:cgfouw -> Trojan.Agent.bi : Cleaned with backup
F:\found.000\file0000.chk:hwsxb -> TrojanDownloader.Agent.bc : Cleaned with backup
F:\found.000\file0000.chk:hxehql -> TrojanDownloader.Agent.bc : Cleaned with backup
F:\found.000\file0000.chk:kgmjs -> TrojanDropper.Small.tn : Cleaned with backup
F:\found.000\file0000.chk:kgmjsu -> TrojanDropper.Small.tn : Cleaned with backup
F:\found.000\file0000.chk:npbhx -> TrojanDownloader.Agent.ap : Cleaned with backup
F:\found.000\file0000.chk:xqtbqs -> TrojanDropper.Small.tn : Cleaned with backup
F:\ntdetect.hta -> TrojanDropper.Inor.cj : Cleaned with backup
F:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\E65E4E81-6700-4C70-A16D-AC29AA\DDF1AC98-383D-49EC-A3CE-2BC180 -> TrojanDropper.Small.tn : Cleaned with backup
F:\Program Files\themexp\Themexp.org File\NNEZTA388.exe -> Spyware.NewDotNet : Cleaned with backup
F:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe -> Spyware.Quick : Cleaned with backup
F:\WINDOWS\AC3API.INI:hpytjl -> TrojanDropper.Small.tn : Cleaned with backup
F:\WINDOWS\apicr.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\apinc32.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\ARPR.INI:izoyq -> Spyware.Ipyn : Cleaned with backup
F:\WINDOWS\ARPR.INI:lqmbyw -> TrojanDropper.Small.tn : Cleaned with backup
F:\WINDOWS\comsetup.log:fugkd -> TrojanDropper.Small.tn : Cleaned with backup
F:\WINDOWS\eReg.dat:qcefho -> Spyware.SearchPage : Cleaned with backup
F:\WINDOWS\HKEY_LOCAL_MACHINE:xvxvz -> TrojanDropper.Small.tn : Cleaned with backup
F:\WINDOWS\iis6.log:krjxhp -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\imsins.BAK:urcdbs -> Spyware.Ipyn : Cleaned with backup
F:\WINDOWS\IYFFireworks-Prefs.ini:rtrar -> TrojanDropper.Small.tn : Cleaned with backup
F:\WINDOWS\KB824105.log:bujfte -> TrojanDropper.Small.tn : Cleaned with backup
F:\WINDOWS\KB825119.log:uuuloh -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\KB837001.log:ivbtok -> Spyware.SearchPage : Cleaned with backup
F:\WINDOWS\n_kayepi.log -> TrojanDownloader.Agent.bq : Cleaned with backup
F:\WINDOWS\n_tuybuo.dat -> TrojanDownloader.Agent.bq : Cleaned with backup
F:\WINDOWS\n_uqnjzo.txt -> TrojanDownloader.Agent.bq : Cleaned with backup
F:\WINDOWS\n_vbsvlk.txt -> TrojanDownloader.Agent.bq : Cleaned with backup
F:\WINDOWS\n_vfnqkw.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
F:\WINDOWS\REGLOCS.OLD:xciyvz -> TrojanDropper.Small.tn : Cleaned with backup
F:\WINDOWS\setuplog.txt:zxrqo -> TrojanDownloader.Agent.bc : Cleaned with backup
F:\WINDOWS\sysmp.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\system.ini:nbyybo -> TrojanDropper.Small.tn : Cleaned with backup
F:\WINDOWS\system32:hcaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
F:\WINDOWS\system32\addzh32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
F:\WINDOWS\system32\apiqp.dll -> Trojan.Feat : Cleaned with backup
F:\WINDOWS\system32\ipda.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
F:\WINDOWS\system32\ntdd32.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\system32\PreInstaller_p1.exe -> TrojanDownloader.Keenval.o : Cleaned with backup
F:\WINDOWS\system32\r0ll3rgrrl.exe -> Spyware.F1Organizer : Cleaned with backup
F:\WINDOWS\Thumbs.db:fujmvr -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\trace.txt:gdknq -> TrojanDownloader.Agent.bc : Cleaned with backup
F:\WINDOWS\win.ini:lyeemk -> TrojanDropper.Small.tn : Cleaned with backup
F:\WINDOWS\WORDPAD.INI:jvalub -> TrojanDropper.Small.tn : Cleaned with backup

::Report End

Ried · Aug 25, 2005

We can take care of the XP theme when we're done here. :smile:

Do you have the logs from these: We need to see them.

Panda ActiveScan
Antispyware.log
About Buster

ChampCar · Aug 25, 2005

Ried said:
We can take care of the XP theme when we're done here. :smile:

Do you have the logs from these: We need to see them.

Panda ActiveScan
Antispyware.log
About Buster

Right, sorry about the theme - *** was I thinking? Theres obviously more important stuff here

OK, AboutBusters log:
AboutBuster 5.0 reference file 31
Scan started on [8/24/2005] at [3:21:04 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:rwcdjr
Removed Stream! C:\WINDOWS\CoDUO.INI:ueyzct
Removed Stream! C:\WINDOWS\DtcInstall.log:fyjkyo
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:xzupsq
Removed Stream! C:\WINDOWS\regopt.log:tfaesn
Removed Stream! C:\WINDOWS\winnt256.bmp:amqcau
Removed Stream! C:\WINDOWS\winnt256.bmp

xtbfe
Removed Stream! C:\WINDOWS\Zapotec.bmp:zzxlcr
------------------------------------------------
Removed File! : C:\Windows\System32\zcavh.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:21:39 PM

ChampCar · Aug 25, 2005

Dangit!!

Symantec anti Corp just went off :sad:
It says quarantined but this keeps coming back and back....
I appreciate all your guys's help on this. I think we're making great progress!
----------------

Scan type: Scheduled Scan
Event: Virus Found!
Virus name: Trojan.ByteVerify
File: C:\Documents and Settings\ARUBA\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-10110d10.zip>>javainstaller/InstallerApplet.class
Location: Quarantine
Computer: ARUBA-6OBSIDCHN
User: ARUBA
Action taken: Quarantine succeeded :
Date found: Thursday, August 25, 2005 4:16:14 AM

ChampCar · Aug 25, 2005

Info about the java virus Symantec found above......
===========

C:\Documents and Settings\ARUBA\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
Action taken: Quarentined
Status: Still contains 1 infected item

C:\Documents and Settings\ARUBA\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-10110d10.zip

Ried · Aug 25, 2005

Not to worry, we're almost there. :smile:

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

I really need to see the results of the Panda ActiveScan. Please post that here along with another HijackThis scan since there have been a couple reboots since the last one you sent.

ChampCar · Aug 25, 2005

Allrighty

Oddly, Panda gets half way through and closes down, its done it twice. I've seen 'one' under spyware and one 'possible' before it closes itself - wont complete the scan.
No 'cache' under the java console. I assume its the temp files button? Cleared them, no applets now in cache-

HJT from a few seconds ago- (R1?)

Logfile of HijackThis v1.99.1
Scan saved at 11:59:31 AM, on 8/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wwSecure.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ARUBA\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank ?
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: gameutil.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak3\PopUp Blocker.exe
O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak3\PopUp Blocker.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119640689375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

sUBs · Aug 25, 2005

Try having Panda scan individual drives/folders instead of the whole of My Computer.

When asked to select a device to scan, choose "other media"

ChampCar · Aug 25, 2005

Panda:

Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\ARUBA\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-4f513f76.zip[InstallerApplet.class]
----------

Now, I've looked into this earlier this morning. Symantec says to rid the above, turn off auto updates, update defs, reboot into safe mode, do full scan, when found - DELETE.

Well, Symantec didn't find it in safe mode. Now, my Java in My Computer, doesn't have a cache tab/button. But - General / Settings has a view applets, so I hit the delete in it (temporary files). Looked at the applets, empty. I did this before Panda.

HMMMM

ChampCar · Aug 25, 2005

WAIT Now its in my applet cache (the above virus string name)!

POADB · Aug 26, 2005

Follow the instructions outlined here to clear Sun Java's cache.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

ChampCar · Aug 26, 2005

^Thank you.
Couple of points quickly:

1. The java zip/virus I listed above was gone this morning (looking in the applet cache) because Symantec does a nightly scan, saw it, and quarrentined it. However, it will come back soon.

2. I think why this is coming back and back is tied to IE. I've been using Mozilla for months, however, like the Panda scan, Panda needs to open in IE and viola, it seems to come back after opening IE.

3. Cleared the Java cache/temp as instructed above (even know it was abscent now from Symantec removal).

The log from Trend: (strange, strange.... Symentec, Panda, Spybot, Giant and Ad-aware didn't catch a critical .exe?)

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Found 'WiseUpdt.exe' in 'C:\Program Files\AnswersThatWork\Troubleshooter'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Program Files\AnswersThatWork\Troubleshooter\WiseUpdt.exe' in shortcut areas.
Checking for 'C:\Program Files\AnswersThatWork\Troubleshooter\WiseUpdt.exe' in startup areas.
Cleaning 'C:\Program Files\AnswersThatWork\Troubleshooter\WiseUpdt.exe'
Finished Cleaning

POADB · Aug 26, 2005

It appears - Your system is CLEAN. Perhaps folliwng the below suggestions will help.

Please follow these simple steps in order to keep your computer clean and secure:

Create a new System Restore point
- click Start >> Run - type SYSDM.CPL & press Enter
- select the System Restore Tab
- tick on the checkbox - "Turn off System Restore on all drives"
- click Apply
- then untick the same checkbox & click OK
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
fgfgfgfg
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will further enhance your safety

IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here > Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

ChampCar · Sep 1, 2005

POADB and all-

Thank you very, very much for the detailed instructions!! I've been away so I appologise. The PC appears clean and very stable now, most appreciated! I've been using for months ZoneAlarm Pro / Mozilla / Symantec Corp (updates, scheduled cleans) / Windows Washer (Webroot) 6.0 and regular AdAware, Spybot S&D runs.

Latest scans resulted in no returns - of ANYTHING!

Last but not least, can I get some help on what CleanUp4.0 deleted and how it affected XP SP1?

Gracias!

POADB · Sep 1, 2005

ChampCar said:
POADB and all-

Thank you very, very much for the detailed instructions!! I've been away so I appologise. The PC appears clean and very stable now, most appreciated! I've been using for months ZoneAlarm Pro / Mozilla / Symantec Corp (updates, scheduled cleans) / Windows Washer (Webroot) 6.0 and regular AdAware, Spybot S&D runs.

Latest scans resulted in no returns - of ANYTHING!

Last but not least, can I get some help on what CleanUp4.0 deleted and how it affected XP SP1?

Gracias!

Thats good news.

About CleanUp!.. Have you had a problem with it? Can you be more specific... Especially if it's affected your desktop settings..?

CleanUp!, basically scans the computer and clears any temporary directory. This includes your Temporary Internet files, recycle bin, history, cookies etc..

If you do not uncheck 'Scan for tmp files' cleanup will also search out and delete .tmp files and the like. This can often result in deleting the Luna theme which changes the way your desktop looks.

If this is the case - please let us know and we'll get luna back in place for you.

Desperate help before this crashes!

Registered

TSF Security Team, Emeritus

Registered

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

Registered

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Team, Emeritus

Registered

Registered

Registered

Registered

Registered

Registered

Registered