Tech Support banner

Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
138 Posts
Discussion Starter #1
Well here it is in all its wonderful glory!
my log , I used hijackthis analyzer

thank you so much for help!
you guys are awesome!!!!


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:34:12 PM, on 9/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\djpuru.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\r?gsvr32.exe
C:\Program Files\nalr\olnt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000000-0000-494E-91DC-15EDC921E65B} - C:\Program Files\ProSiteFinder\ProSiteFinder.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: mtsBar BHO - {094176F1-BF35-4bcb-B68A-108DFB8C3825} - C:\Program Files\MyTotalSearch\bar\1.bin\MTSBAR.DLL
O2 - BHO: (no name) - {2EA61288-A46E-88BB-4241-DC38714A9198} - C:\WINDOWS\system32\zma.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: (no name) - {094176F9-BF35-4bcb-B68A-108DFB8C3825} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\system32\Zubxk.exe
O4 - HKLM\..\Run: [hhfnMaX.exe] C:\windows\hhfnMaX.exe
O4 - HKLM\..\Run: [EOrBts1D.exe] C:\documents and settings\steve\local settings\temp\EOrBts1D.exe
O4 - HKLM\..\Run: [K.exe] C:\windows\system32\K.exe
O4 - HKLM\..\Run: [ndmQz.exe] c:\windows\system32\ndmQz.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [xfmhod] C:\WINDOWS\system32\djpuru.exe r
O4 - HKCU\..\Run: [Vbk] C:\WINDOWS\system32\r?gsvr32.exe
O4 - HKCU\..\Run: [Woao] C:\Program Files\nalr\olnt.exe
O8 - Extra context menu item: &Search - http://bar.mytotalsearch.com/menusearch.html?p=VSzeb00546US
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.1.1.29/holdem/holdem-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c10.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094313646875
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC559B4-65D0-4D8C-A2C1-762F147F8D1B}: NameServer = 207.173.225.3,216.67.192.3
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


End of KRC HijackThis Analyzer Log.
=====================================================
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

KillBox v2.0.0.175.zip

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.



Download Lavasoft's Ad-Aware & it's recently updated plug-in - VX2 Cleaner

Install both using the default options & then update Ad-Aware with the latest definitions.
Click on Add-ons in the lefthand column & select - VX2 Cleaner V2.0
Click Run Tool >> "OK"
If something is found, click "Clean" as in the directions given.
Click "Close", and exit Ad-Aware.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\Nail.exe
    C:\WINDOWS\dsr.dll
    C:\WINDOWS\system32\zma.dll
    C:\WINDOWS\system32\Zubxk.exe
    C:\windows\hhfnMaX.exe
    C:\windows\system32\K.exe
    c:\windows\system32\ndmQz.exe
    C:\WINDOWS\dinst.exe
    C:\WINDOWS\system32\r?gsvr32.exe
    C:\WINDOWS\svcproc.exe
* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • ProSite Finder
    My Total Search
    ViewPoint

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000000-0000-494E-91DC-15EDC921E65B} - C:\Program Files\ProSiteFinder\ProSiteFinder.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: mtsBar BHO - {094176F1-BF35-4bcb-B68A-108DFB8C3825} - C:\Program Files\MyTotalSearch\bar\1.bin\MTSBAR.DLL
O2 - BHO: (no name) - {2EA61288-A46E-88BB-4241-DC38714A9198} - C:\WINDOWS\system32\zma.dll (file missing)
O3 - Toolbar: (no name) - {094176F9-BF35-4bcb-B68A-108DFB8C3825} - (no file)
O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\system32\Zubxk.exe
O4 - HKLM\..\Run: [hhfnMaX.exe] C:\windows\hhfnMaX.exe
O4 - HKLM\..\Run: [EOrBts1D.exe] C:\documents and settings\steve\local settings\temp\EOrBts1D.exe
O4 - HKLM\..\Run: [K.exe] C:\windows\system32\K.exe
O4 - HKLM\..\Run: [ndmQz.exe] c:\windows\system32\ndmQz.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [xfmhod] C:\WINDOWS\system32\djpuru.exe r
O4 - HKCU\..\Run: [Vbk] C:\WINDOWS\system32\r?gsvr32.exe
O4 - HKCU\..\Run: [Woao] C:\Program Files\nalr\olnt.exe
O8 - Extra context menu item: &Search - http://bar.mytotalsearch.com/menuse...?p=VSzeb00546US
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/W.../bridge-c10.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\nalr\
    C:\Program Files\ProSiteFinder\
    C:\Program Files\MyTotalSearch\bar\
    C:\Program Files\Viewpoint\

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch Ad-Aware & click on the Start button
Select "Perform smart system scan" and click Next.
Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK".


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE


As you reboot, Ad-Aware will start up
Click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click [Scan your PC] & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click [Scan Now]
  3. Enter your e-mail address & click [Scan Now] ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:
  • HiJackThis log
    [*] Online Scan
    [*] Ewido
    [*] TrendMicro AntiSpyware log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
138 Posts
Discussion Starter #3
Hello, I folowed the steps ubove and here are the results


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:02:02 AM, 9/8/2005
+ Report-Checksum: DB0ADE52

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned without backup
C:\Program Files\FileSubmit\KISS Destroyer\nnez_388.exe -> Spyware.NewDotNet : Cleaned without backup
C:\WINDOWS\iLookup -> Adware.eZula : Cleaned without backup
C:\WINDOWS\Lycos\ss_IGN1_setup.exe -> Spyware.Sidesearch.d : Cleaned without backup
C:\WINDOWS\system32\QckpB.exe -> TrojanDownloader.VB.em : Cleaned without backup
C:\WINDOWS\wadbsa.exe -> Adware.BetterInternet : Cleaned without backup
C:\WINDOWS\ylmlsghiie.exe -> Adware.BetterInternet : Cleaned without backup


::Report End


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:49:32 PM, on 9/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\r?gsvr32.exe
C:\Program Files\nalr\olnt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Vbk] C:\WINDOWS\system32\r?gsvr32.exe
O4 - HKCU\..\Run: [Woao] C:\Program Files\nalr\olnt.exe
O8 - Extra context menu item: &Search - http://bar.mytotalsearch.com/menusearch.html?p=VSzeb00546US
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.1.1.29/holdem/holdem-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c10.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094313646875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC559B4-65D0-4D8C-A2C1-762F147F8D1B}: NameServer = 207.173.225.3,216.67.192.3
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


End of KRC HijackThis Analyzer Log.---------------------------------------------------


Trend Micro found the following 10 cookies


ads.addynamix.com
addynamix.com
Purityscan
doubleclick.net
overture.com
profiling cookie
websponsors.com
atdmt.com


The online scan panda found nothing on computer!!




I had no real problems walking through the
steps, i am still expierencing pop-ups
but minimal compared to what is was doing

what else should i do at this point?

and thanks foe all the help buddy
your a lifesaver!!
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
I think you ran the wrong TrendMicro tool. The one I wanted would produce a report that produces a different looking report than that. :grin:


Have HijackThis fix these entries:

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O4 - HKCU\..\Run: [Vbk] C:\WINDOWS\system32\r?gsvr32.exe
O4 - HKCU\..\Run: [Woao] C:\Program Files\nalr\olnt.exe
O8 - Extra context menu item: &Search - http://bar.mytotalsearch.com/menuse...?p=VSzeb00546US
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/W.../bridge-c10.cab



Run KillBox & paste the following locations into KillBox one at a time:
  • C:\Program Files\nalr\
    C:\WINDOWS\system32\r?gsvr32.exe
  1. Checkmark the following boxes :
    • Delete on Reboot
      [*] DelTree (including SubDirectories) if available
  2. Click the RED X button
  3. Answer YES when asked to confirm file deletion
  4. Answer NO when prompted to reboot now
  5. Proceed with the next file by repeating the above steps.
  6. Once you get to the last entry, click YES when prompted to reboot.

Upon reboot, Perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        • Standard
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HJT report

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Also do this...
Go to HijackThis> Config> Misc Tools
Checkmark/tick 'list also minor sections (full)'
Click the 'Generate StartupList log' button
Post the log in your next reply
 

·
Registered
Joined
·
138 Posts
Discussion Starter #5
ok followed all instructions
and here are all the results

damn its almost scary how much text is present lol :sayno:

thanks brother!!!



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, September 10, 2005 14:56:00
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/09/2005
Kaspersky Anti-Virus database records: 139778
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 34113
Number of viruses found: 26
Number of infected objects: 141
Number of suspicious objects: 2
Duration of the scan process: 1977 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip/install.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip Suspicious: Password-protected-EXE
C:\Program Files\Norton AntiVirus\Quarantine\08EE3468 Infected: Trojan-Downloader.Win32.Small.id
C:\Program Files\Norton AntiVirus\Quarantine\0B474897/data0002 Infected: Trojan.Win32.Septic.a
C:\Program Files\Norton AntiVirus\Quarantine\0B474897 Infected: Trojan.Win32.Septic.a
C:\Program Files\Norton AntiVirus\Quarantine\18B51F70 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\18BF1D65 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\18C24762 Infected: Trojan.Win32.Septic.a
C:\Program Files\Norton AntiVirus\Quarantine\18C5715E Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\19AB54B8 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\1BFA3D90 Infected: Trojan-Downloader.Win32.Small.id
C:\Program Files\Norton AntiVirus\Quarantine\1BFD678C Infected: Trojan-Downloader.Win32.Small.id
C:\Program Files\Norton AntiVirus\Quarantine\1D381CD1 Infected: Trojan-Dropper.Win32.Agent.rs
C:\Program Files\Norton AntiVirus\Quarantine\20CC26B4/data0002 Infected: Trojan.Win32.Septic.a
C:\Program Files\Norton AntiVirus\Quarantine\20CC26B4 Infected: Trojan.Win32.Septic.a
C:\Program Files\Norton AntiVirus\Quarantine\22684094 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\23A40F2A Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton AntiVirus\Quarantine\27EC78B0 Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\Program Files\Norton AntiVirus\Quarantine\2E5F729A Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\2F0C4AAB Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton AntiVirus\Quarantine\313943BF Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\32E5549F Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\36724ACC Infected: Trojan.Win32.VB.kq
C:\Program Files\Norton AntiVirus\Quarantine\39EF2E99/data0001 Infected: Trojan.Win32.VB.kq
C:\Program Files\Norton AntiVirus\Quarantine\39EF2E99/data0002 Infected: Trojan.Win32.VB.kq
C:\Program Files\Norton AntiVirus\Quarantine\39EF2E99 Infected: Trojan.Win32.VB.kq
C:\Program Files\Norton AntiVirus\Quarantine\3A02240D Infected: Trojan-Downloader.Win32.Small.id
C:\Program Files\Norton AntiVirus\Quarantine\3A940560 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\3B7C334A Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\45E5609F Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\462B189E Infected: Trojan-Downloader.Win32.Small.id
C:\Program Files\Norton AntiVirus\Quarantine\481D6CDC Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\Program Files\Norton AntiVirus\Quarantine\51761C9E Infected: Trojan-Downloader.Win32.Intexp.d
C:\Program Files\Norton AntiVirus\Quarantine\57575A02 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\5CA06295 Infected: Trojan-Downloader.Win32.Dyfuca.dt
C:\Program Files\Norton AntiVirus\Quarantine\5E772BFE Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\711E63DD Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\712437D6 Infected: Trojan.Win32.Small.cy
C:\Program Files\Norton AntiVirus\Quarantine\712761D2 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\712E35CB Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\71315FC8 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\713409C4 Infected: Trojan.Win32.Septic.a
C:\Program Files\Norton AntiVirus\Quarantine\713E07B9 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\714131B6 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\71614561 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\74CC2761/data0002 Infected: Trojan.Win32.Septic.a
C:\Program Files\Norton AntiVirus\Quarantine\74CC2761 Infected: Trojan.Win32.Septic.a
C:\Program Files\Norton AntiVirus\Quarantine\7C3A28CB Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7F2A3177 Infected: Trojan-Downloader.Win32.VB.em
C:\Program Files\Norton AntiVirus\Quarantine\7FB70C98 Infected: Backdoor.Win32.VB.oq
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP800\A0075016.exe Infected: Trojan-Downloader.Win32.PurityScan.af
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP815\A0086011.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP815\A0087011.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP815\A0088010.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP815\A0089010.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP815\A0090011.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP815\A0090036.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP815\A0090040.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP815\A0090053.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP815\A0090057.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP816\A0090074.exe Infected: Trojan-Downloader.Win32.PurityScan.y
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP817\A0091053.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP820\A0091129.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP820\A0091150.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP821\A0091183.exe Infected: Trojan-Downloader.Win32.PurityScan.ak
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP823\A0092135.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP823\A0093135.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP823\A0094135.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP823\A0095135.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP823\A0095244.exe/data0002 Infected: Trojan.Win32.Septic.a
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP823\A0095244.exe Infected: Trojan.Win32.Septic.a
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP823\A0095264.exe/data0002 Infected: Trojan.Win32.Agent.az
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP823\A0095264.exe Infected: Trojan.Win32.Agent.az
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP823\A0096135.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP824\A0096213.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP824\A0096216.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP824\A0096217.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP824\A0096219.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP826\A0096260.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP827\A0096269.exe Infected: Trojan.Win32.Stervis.e
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP827\A0096294.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP827\A0096320.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP829\A0096342.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP829\A0096348.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP830\A0096389.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP831\A0096401.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP831\A0096413.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP831\A0096428.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP831\A0096450.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP831\A0096451.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP831\A0096586.exe Infected: Trojan.Win32.VB.kq
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP831\A0096592.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP831\A0096608.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP831\A0096628.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP831\A0096641.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096784.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096818.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096881.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096882.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096929.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096937.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096941.exe Infected: Trojan-Downloader.Win32.Intexp.d
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096944.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096946.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096947.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096951.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096952.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096953.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096954.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096955.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096956.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096957.exe Infected: Backdoor.Win32.VB.oq
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096958.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096964.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096966.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096967.dll Infected: Trojan-Downloader.Win32.Dyfuca.dt
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096968.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096969.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096970.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096977.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096983.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP832\A0096984.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP833\A0096993.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP833\A0096994.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP834\A0097011.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP834\A0097012.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP835\A0097035.exe Infected: Trojan.Win32.Agent.az
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP835\A0097056.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP835\A0097063.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP835\A0097274.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP835\A0097277.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP835\A0097278.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP835\A0097287.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP835\A0097288.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP835\A0097290.exe Infected: Trojan-Downloader.Win32.PurityScan.an
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP836\A0097305.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP836\A0097306.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP837\A0097318.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP837\A0097320.exe Infected: Trojan.Win32.Stervis.f
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP837\A0097321.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP837\A0097380.exe Infected: Trojan-Downloader.Win32.PurityScan.an
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP837\A0097398.exe Infected: Trojan-Downloader.Win32.VB.em
C:\System Volume Information\_restore{05425706-254C-4024-8B98-570F6A9FA682}\RP837\A0097408.exe Infected: Trojan-Downloader.Win32.Keenval.c

Scan process completed.





------------------------------------------------------------------------------------------------------
StartupList report, 9/10/2005, 2:58:57 PM
StartupList version: 1.52.2
Started from : C:\Hjt\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hjt\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ADSL_A2 = A2Installed
AdaptecDirectCD = C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
NAV CfgWiz = C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab

[{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}]
CODEBASE = http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c10.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094313646875

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5free/asinst.cab

[ZoneAxRcMgr Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZAxRcMgr.ocx
CODEBASE = http://messenger.zone.msn.com/binary/ZAxRcMgr.cab

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

D-Link ITeX ADSL Management and Monitor Interface: System32\DRIVERS\amgmwan.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVScan: "C:\Program Files\Norton AntiVirus\SAVScan.exe" (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
SymWMI Service: "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 12,900 bytes
Report generated in 0.906 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



--------------------------------------------------------------------------------------------------




====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:59:45 PM, on 9/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.1.1.29/holdem/holdem-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c10.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094313646875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC559B4-65D0-4D8C-A2C1-762F147F8D1B}: NameServer = 207.173.225.3,216.67.192.3
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


End of KRC HijackThis Analyzer Log.
=============================================
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
I'm puzzled..

When you fixed this entry, did HijackThis come out with any error messages?

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/W.../bridge-c10.cab

Try fixing it again.

If it doesn't go away, you'll have to go this directory - C:\WINDOWS\Downloaded Program Files\

Locate & delete this entry - {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}

Let me know how that went
 

·
Registered
Joined
·
138 Posts
Discussion Starter #7
ok here is update , i must not have deleted that last time sry
------------------------------------------



Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:17:46 PM, on 9/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.1.1.29/holdem/holdem-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094313646875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC559B4-65D0-4D8C-A2C1-762F147F8D1B}: NameServer = 207.173.225.3,216.67.192.3
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Get up from your chair & do like this little fella here ->
... jump for joy..Your system is clean

Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:

  1. CLEAR & RESET SYSTEM RESTORE'S CACHE
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    Go to Start >> Run - type control inetcpl.cpl,,1 & press Enter
    • Click once on the Internet icon so it becomes highlighted.
    • Select Custom Level .
      • Change 'Download signed ActiveX controls' to Prompt
      • Change 'Download unsigned ActiveX controls' to Disable
      • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
      • Change 'Installation of desktop items' to Prompt
      • Change 'Launching programs and files in an IFRAME' to Prompt
      • Change 'Navigate sub-frames across different domains' to Prompt
      • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  6. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.


Please respond to this thread one more time so we can mark this thread as resolved.
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top