Tech Support banner

Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
14 Posts
Discussion Starter #1
okay firstly here is the log

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:52:54 PM, on 9/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\WinAce\WinAce.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [imjpmig] D:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Evidence Eliminator] D:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03DBC96D-692E-4399-8F0F-3CCA47BCDAEB}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{835BB97D-5495-4EAD-B46F-0397C58603B6}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0C8C66F-731A-43A8-B253-E4B40FAB01B4}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{D517314E-9D11-4369-B1D1-581F6960DCB5}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{03DBC96D-692E-4399-8F0F-3CCA47BCDAEB}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CS3\Services\Tcpip\..\{03DBC96D-692E-4399-8F0F-3CCA47BCDAEB}: NameServer = 69.50.168.139,85.255.112.20
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE


End of KRC HijackThis Analyzer Log.
====================================================================

now, the problem is, evyer 30 minutes or so, i have a window popup, title bar says Windows Security Center, and then feeds me this bs about how Mic. Firewall has detected suspicous activity... complete bs.... my firewall hasnt been turned on for Mic. im running ZoneAlarm. now the first time i saw this window... i clicked Yes to the option. it opened my browser and took me to Http://spyware-biz.com/search.php?q=spyware.... thought it was a blank page.... however... cntrl-a - ing it showed a link at top left corner.... curiousity got me.... took me to http://adv/eblocs.com/spyblocs/adv/mygeek_002.html.... ad for some spyware bs....

i didnt see anything in the HJT log that looked out of place... but i figure i would ask the pros... a google search of Windows Security Center shows that its legit... and showed me where it was on my computer... however... upon searching for it in the areas they listed.... its not there.... i dont hvae WSC on my computer... if i do... i cant find it...

Bulletproof's Spyware and Lavasofts Adware-6 both turned up nothing....

this is causing a hindrance with everyday activites, and esp, my final fantasy xi online gaming exp. popup kills fullscreen mode, which automatically kills my game.

any and all help would be appreciated. thanks.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please print out these instructions for reference as you will have to restart your computer during the fix. An internet connection is required as the installer will need to download other files during the fix.

Please download & Install - FixWareout.exe

When you reach the final page of the installation process, make sure "Run fixit" is checked.
Follow the on-screen prompts & reboot your computer when instructed to do so.

**Do not be alarmed if your computer takes longer than usual to load.

After you have restarted, wait for HijackThis to launch automatically.
Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{835BB97D-5495-4EAD-B46F-0397C58603B6}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0C8C66F-731A-43A8-B253-E4B40FAB01B4}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{D517314E-9D11-4369-B1D1-581F6960DCB5}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{03DBC96D-692E-4399-8F0F-3CCA47BCDAEB}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CS3\Services\Tcpip\..\{03DBC96D-692E-4399-8F0F-3CCA47BCDAEB}: NameServer = 69.50.168.139,85.255.112.20


Click Fix Checked. Close HijackThis, and click OK to proceed.

Post a new HijackThis log after you have completed the fix.
 

·
Registered
Joined
·
14 Posts
Discussion Starter #3
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:55:24 PM, on 9/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\system32\savedump.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [imjpmig] D:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [hwiper.exe] C:\WINDOWS\System32\hwiper.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\System32\yaemu.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Evidence Eliminator] D:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15323632-B3F8-4CD5-B561-02C248FF68B2}: NameServer = 69.50.168.139,85.255.112.20
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE


End of KRC HijackThis Analyzer Log.
====================================================================


after my pc rebooted, i got an error saying windows could not find path for that fixwareout prog.
 

·
Registered
Joined
·
14 Posts
Discussion Starter #5
please post this report in the forum
»»»»» Search by size and names...
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\Help\SPAlert.chm

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool




====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 5:31:41 PM, on 9/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\fixwareout\SUB\BFU.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [imjpmig] D:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [hwiper.exe] C:\WINDOWS\System32\hwiper.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\System32\yaemu.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE


End of KRC HijackThis Analyzer Log.
====================================================================

okay, fixit ran this time.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Have HijackThis fix these entries:

O4 - HKLM\..\Run: [hwiper.exe] C:\WINDOWS\System32\hwiper.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\System32\yaemu.exe



If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files:
  • C:\WINDOWS\System32\hgqhp.exe
    C:\WINDOWS\Help\SPAlert.chm
    C:\WINDOWS\System32\hwiper.exe
    C:\WINDOWS\System32\yaemu.exe


  1. Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
  2. Select Drive C: & click the 'OK' button
  3. Select the following options:
    • Temporary Internet Files
      [*] Recycle Bin
      [*] Temporary Files
  4. Click the 'OK' button


Perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        • Standard
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post along with a new HJT log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
14 Posts
Discussion Starter #7
to start off with, when i reran HJT hwiper.exe and yaemu.exe werent on there...

here is the hjt results i just did.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:22:23 PM, on 9/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\BitTorrent\btdownloadgui.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [imjpmig] D:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03DBC96D-692E-4399-8F0F-3CCA47BCDAEB}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{15323632-B3F8-4CD5-B561-02C248FF68B2}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{835BB97D-5495-4EAD-B46F-0397C58603B6}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0C8C66F-731A-43A8-B253-E4B40FAB01B4}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{D517314E-9D11-4369-B1D1-581F6960DCB5}: NameServer = 69.50.168.139,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{03DBC96D-692E-4399-8F0F-3CCA47BCDAEB}: NameServer = 69.50.168.139,85.255.112.20
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE


End of KRC HijackThis Analyzer Log.
====================================================================

and here is the kaspersky results

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, September 14, 2005 20:21:31
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/09/2005
Kaspersky Anti-Virus database records: 140325
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 94510
Number of viruses found: 29
Number of infected objects: 143
Number of suspicious objects: 1
Duration of the scan process: 3075 sec

Infected Object Name - Virus Name
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\Incoming\AP0.dll Infected: Backdoor.Win32.BO2K.plugin.Hijack
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\774213FA.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\59621848.htm Infected: Exploit.HTML.IframeBof
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\00D32326 Infected: Trojan-Dropper.Win32.Small.pb
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\08E34A47 Infected: Trojan.Win32.StartPage.lj
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\125E79C8.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\126F4BB6.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\12C0655C.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\12D70B43.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\135A1AB3.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\136D169E.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1398386F.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\18DC74A3.php Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\191E3C5B.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\19356242.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\195C5A17.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\19737FFE.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\19BA1BAE.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\19CE1799.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1A447F18.php Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1AB63C9A.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\00F86830.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1ACD6281.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\60515482.exe Infected: Trojan-Downloader.Win32.Small.yo
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\633610B9.exe Infected: Backdoor.Win32.Prorat.19
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0B9A75AF Infected: Backdoor.Win32.Prorat.19
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\739130AB//bo2k/installer/intl/BO2K/650MB/DISK1/SETUP.ISS Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\739130AB//bo2k/installer/intl/BO2K/650MB/DISK1/SETUP.PDF Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\739130AB Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\73945AA8.exe//bo2k/installer/intl/BO2K/650MB/DISK1/SETUP.ISS Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\73945AA8.exe//bo2k/installer/intl/BO2K/650MB/DISK1/SETUP.PDF Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\73945AA8.exe Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0C71014C.exe Infected: Backdoor.Win32.BO2K.10
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\675850F9.exe//bo2k/installer/intl/BO2K/650MB/DISK1/SETUP.ISS Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\675850F9.exe//bo2k/installer/intl/BO2K/650MB/DISK1/SETUP.PDF Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\675850F9.exe Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\68F37B34.exe Infected: Backdoor.Win32.BO2K.10
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\68F72530.exe Infected: Backdoor.Win32.BO2K.10
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4BC85D96.dll Infected: Backdoor.Win32.BO2K.plugin.Cast.k
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\27403D80.dll Infected: Backdoor.Win32.BO2K.plugin.Hijack
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4ED40639.dll Infected: Backdoor.Win32.BO2K.plugin.Hijack
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0DAA027E.dll Infected: Backdoor.Win32.BO2K.plugin.Hijack
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\42B4138D.dll Infected: Backdoor.Win32.BO2K.plugin.Hijack
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4FE85306.dll Infected: Backdoor.Win32.BO2K.plugin.Cast.k
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\16AB2B30.dll Infected: Backdoor.Win32.BO2K.plugin.Hijack
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4DFC076D//bo2k/installer/intl/BO2K/650MB/DISK1/SETUP.ISS Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4DFC076D//bo2k/installer/intl/BO2K/650MB/DISK1/SETUP.PDF Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4DFC076D Infected: Backdoor.Win32.BO2K
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4DFF3169 Infected: Backdoor.Win32.BO2K.plugin.Cast.k
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\38BA77CB Infected: Backdoor.Win32.BO2K.plugin.Hijack
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4E7842E4 Infected: Backdoor.Win32.BO2K.plugin.Hijack
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\290B7E59.exe Infected: Trojan.Win32.StartPage.ig
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\13F437D3.exe Infected: Trojan.Win32.StartPage.ig
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0C591F57.exe Infected: Trojan.Win32.StartPage.ig
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6904095C.exe Infected: Trojan.Win32.StartPage.ig
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\57D97F64.exe Infected: Trojan.Win32.StartPage.ig
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\63777403.exe Infected: Trojan.Win32.StartPage.ig
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6D673713.exe Infected: Trojan.Win32.StartPage.ig
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\24583053.class Infected: Trojan.Java.ClassLoader.z
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\259A25CF.class Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4201202B.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2547294D.zip/Bubble.class Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2547294D.zip/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2547294D.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2547294D.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.h
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2547294D.zip Infected: Trojan-Downloader.Java.OpenStream.h
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\254A5349.zip/Bubble.class Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\254A5349.zip/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\254A5349.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\254A5349.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.h
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\254A5349.zip Infected: Trojan-Downloader.Java.OpenStream.h
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\102A59F6.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\102A59F6.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\102A59F6.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\102A59F6.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\102A59F6.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0FBC675A.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0FBC675A.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0FBC675A.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0FBC675A.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0FBC675A.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\28505163 Infected: Trojan.Java.ClassLoader.z
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\10E97847 Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0DCB7215 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\01102443.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\01102443.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\01102443.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\01102443.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\01102443.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\01102443.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4A0A5C42.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\45DF6766.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\01F1754B.class Infected: Trojan.Java.ClassLoader.h
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\18FE3213.class Infected: Trojan.Java.ClassLoader.d
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\34130220.class Infected: Trojan.Java.Binny.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\34756DB4.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\09653775.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\638C4F61.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\42C86E4B.class Infected: Trojan-Downloader.Java.OpenStream.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\347B41AD.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\347E6BA9.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\34853FA2.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\38971128.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5ABC2E97.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\61EE3926.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\25FB7576.class Infected: Trojan-Downloader.Java.OpenStream.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3CC61E81.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\389A3B24.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\389D6521.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\38DB02DC.class Infected: Trojan.Java.Binny.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\14286489.class Infected: Trojan.Java.Binny.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3F095C59 Infected: Trojan.Java.Binny.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3F0C0655 Infected: Trojan.Java.Binny.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2AAE1F81.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0EC70E6B.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\430C76B0.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\629A5806.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2AB1497D.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2AB81D76.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2ABB4772.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2ABE716F.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7DC82B2B.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7DDB2715.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7DDE5112.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49DB3A44.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3EF856D1.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3EF856D1.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3EF856D1.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3EF856D1.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3EF856D1.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3EFE2ACA.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3F0154C6.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3F057EC2.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3F0B52BB.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0B012A70 Infected: Trojan-Downloader.Win32.Dyfuca.dt
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\77382475 Infected: Trojan-Downloader.Win32.Dyfuca.dt
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv539.jar-69ecf2f0-45647bb1.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv539.jar-69ecf2f0-45647bb1.zip Infected: Trojan-Downloader.Java.OpenStream.c
C:\FOUND.010\FILE0022.CHK Infected: Trojan-Downloader.Win32.Delf.vq
C:\fixwareout\SUB\download.exe Infected: Trojan-Downloader.Win32.Delf.vq
C:\firefox downloads\Fixwareout.exe/data0005 Infected: Trojan-Downloader.Win32.Delf.vq
C:\firefox downloads\Fixwareout.exe Infected: Trojan-Downloader.Win32.Delf.vq
D:\Prorat-v1.9.zip/ProRat.exe Infected: Backdoor.Win32.Prorat.19
D:\Prorat-v1.9.zip Infected: Backdoor.Win32.Prorat.19

Scan process completed.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
The return of such entries is bad.

O17 - HKLM\System\CS2\Services\Tcpip\..\{03DBC96D-692E-4399-8F0F-3CCA47BCDAEB}: NameServer = 69.50.168.139,85.255.112.20


If you have deleted the file - C:\WINDOWS\System32\hgqhp.exe - as per my previous post, have Hijackthis fix this entry.

O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe


Locate & delete these files:

C:\FOUND.010\FILE0022.CHK
D:\Prorat-v1.9.zip



Follow the instructions outlined here to clear Sun Java's cache.

Please use Symantec's guide to remove the Norton's Quarantine files.

Before we can proceed any further, please visit Microsoft's Windows Update Page and install ALL Critcal Updates for your system (except Service Pack 2 (SP2). SP2 should only be installed on a fully disinfected system). At the minimum install at least SP1a for both XP and IE6.

Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update XP to SP1 we must stop the cleansing process here.

Thank you for your cooperation.
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top