View Full Version : Trojan horse help please
windigo
09-04-2006, 02:38 PM
I'm trying to help my neighbour remove a virus but am getting very close to exploding here! We're both novices. He uses AVG and it has found the following:
Trojan horse Generic.XFV
Trojan horse Clicker.FR
Trojan horse Generic.KS
Trojan horse Collected.8AQ
Originally the screen went red with an advert flashing in the middle - I managed to get rid of this by going into the desktop settings. What's happening now is AVG keeps throwing up the "Virus Detected!" alert for these 4 viruses - sometimes they can be healed and/or moved to the virus vault, sometimes not! Each time the computer starts these messages pop up, also if I try to open any browser window, the same thing. It seems to be locking the programs on occasions; sometimes shuts the computer down without warning etc. If anyone can offer ANY help and advice we'd be extremely grateful. I notice from a lot of your replies to other posts that it's good to use HijackThis? I'll download it while I wait for a reply. The OS is Windows XP.
Thanking you in advance,
Wendy & Dougie! (Close to tears!)
classicsoftware
09-04-2006, 02:43 PM
Download Hijackthis and unzip into a permanent folder.
Click on the icon and and choose scan and create a log.
Post the contents of the log here for review.
windigo
09-04-2006, 02:52 PM
Here's the results - tha
Logfile of HijackThis v1.99.1
Scan saved at 19:50:52, on 04/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Doug\Desktop\HijackThis\HijackThis1991.ex e
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [uzzpd.exe] C:\WINDOWS\System32\uzzpd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.p0rt2.com
O15 - Trusted Zone: [url]http://secure.gestrip.com[/url] (HKLM)
O15 - Trusted Zone: [url]http://awbeta.net-nucleus.com[/url] (HKLM)
O15 - Trusted Zone: [url]http://update.randhi.com[/url] (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - [url]https://www.wanadoo.co.uk/time/anytimereg_dialer/dialer/dialers/sd0101_5.exe[/url]
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} - [url]http://www.www2.p0rt2.com/files/777.cab[/url]
O16 - DPF: {33331111-1111-1111-1111-611111193429} - [url]http://www.www2.p0rt2.com/files/_ipsec_.cab[/url]
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} - [url]http://www.www2.p0rt2.com/files/epl29.cab[/url]
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {33331111-1131-1111-1111-611111193428} - [url]http://www.www2.p0rt2.com/files/proto299.cab[/url]
O16 - DPF: {33331111-1234-1111-1111-615111193427} - [url]http://www.www2.p0rt2.com/files/epl29bd.cab[/url]
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C6C566-C563-4390-B616-BA822D0BB8F3}: NameServer = 85.255.115.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{817405AE-53BB-489F-8D80-3D479CAFEA55}: NameServer = 85.255.115.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{E33EFFF6-5A59-4712-B572-412D8A148F83}: NameServer = 85.255.115.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
O17 - HKLM\System\CS2\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
classicsoftware
09-04-2006, 03:02 PM
First you will need to disable TeaTimer:
1) Run Spybot-S&D
2) Go to the Mode menu and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
Open Hijackthis and place a check next to:
O4 - HKLM\..\Run: [uzzpd.exe] C:\WINDOWS\System32\uzzpd.exe
O15 - Trusted Zone: *.p0rt2.com
O15 - Trusted Zone: http://secure.gestrip.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: http://update.randhi.com (HKLM)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt2.com/files/777.cab
O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl29.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {33331111-1131-1111-1111-611111193428} - http://www.www2.p0rt2.com/files/proto299.cab
O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl29bd.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C6C566-C563-4390-B616-BA822D0BB8F3}: NameServer = 85.255.115.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{817405AE-53BB-489F-8D80-3D479CAFEA55}: NameServer = 85.255.115.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{E33EFFF6-5A59-4712-B572-412D8A148F83}: NameServer = 85.255.115.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
O17 - HKLM\System\CS2\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
Close all program and browser windows except for hijackthis and click fix checked.
Re-boot and post a fresh log.
windigo
09-04-2006, 03:19 PM
Thanks - I'll get that done now and post back here asap!
windigo
09-04-2006, 04:24 PM
There were a few lines that I couldn't find on Spybot :-
O4 - HKLM\..\Run: [uzzpd.exe] C:\WINDOWS\System32\uzzpd.exe
O17 - HKLM\System\CS1\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21
The latest log is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 21:16:34, on 04/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Doug\Desktop\HijackThis\HijackThis1991.ex e
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [fhnvs.exe] C:\WINDOWS\System32\fhnvs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - [url]https://www.wanadoo.co.uk/time/anytimereg_dialer/dialer/dialers/sd0101_5.exe[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C6C566-C563-4390-B616-BA822D0BB8F3}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{817405AE-53BB-489F-8D80-3D479CAFEA55}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{E33EFFF6-5A59-4712-B572-412D8A148F83}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CS2\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
(Hope I'm doing this properly!!)
windigo
09-04-2006, 04:50 PM
May have to check again tomorrow as it's getting late here in the UK ;) (Will check first thing) Also, HAPPY BIRTHDAY to you!! :D
Budfred
09-04-2006, 10:23 PM
There were a few lines that I couldn't find on Spybot :-
O4 - HKLM\..\Run: [uzzpd.exe] C:\WINDOWS\System32\uzzpd.exe
O17 - HKLM\System\CS1\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21
Those lines aren't in Spybot, they are in the HijackThis log and they are still there... You need to fix them... This one:
O4 - HKLM\..\Run: [uzzpd.exe] C:\WINDOWS\System32\uzzpd.exe
Has changed to this one and it may change again if you have rebooted....
O4 - HKLM\..\Run: [fhnvs.exe] C:\WINDOWS\System32\fhnvs.exe
You will either need to post a HJT log and NOT reboot until we tell you which to fix or you will need to figure it out and fix it yourself...
These are the ones that need to be fixed based on this log... Open a HJT scan and put checks by:
O4 - HKLM\..\Run: [fhnvs.exe] C:\WINDOWS\System32\fhnvs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.wanadoo.co.uk/time/anyt...rs/sd0101_5.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C6C566-C563-4390-B616-BA822D0BB8F3}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{817405AE-53BB-489F-8D80-3D479CAFEA55}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{E33EFFF6-5A59-4712-B572-412D8A148F83}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CS2\Services\Tcpip\..\{2AC35673-F4EB-4D38-B1FC-F12EE62AACFC}: NameServer = 85.255.115.21,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
Close all open windows except HJT and press Fix checked...
Find this file in Windows Explorer and see what size it is to post back here: C:\WINDOWS\SYSTEM32\slmdmsr.exe
If it hasn't already changed to something else, find and delete this:
C:\WINDOWS\System32\fhnvs.exe
Then I suggest running a couple of other scans:
Please download, install, and update Ewido anti-spyware (http://www.ewido.net/en/download/)
Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Close ewido. Do not run it yet.
Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.
In Safe Mode, load Ewido and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Restart back into Normal Mode.
and.........
* Click here (http://support.f-secure.com/enu/home/ols3.shtml) to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.
Then click the F-Secure Online Scanner Next Generation Beta link.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
Reboot...
Please perform another scan with Hijack This, and then post back with a copy of the Ewido log, the F-Secure log and the new HijackThis log.
windigo
09-05-2006, 01:14 PM
Hello and thanks!
The file slmdmsr.exe is 60KB
The file fhnvs.exe has, I think, changed to sidru.exe. I can't delete this though as it says it is being used by another user or program.
Here is a copy of HijackThis Log. I'm now about to following your instructions for Ewido.
Logfile of HijackThis v1.99.1
Scan saved at 18:14:21, on 05/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Doug\Desktop\HijackThis\HijackThis1991.ex e
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sidru.exe] C:\WINDOWS\System32\sidru.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.213
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
ctrl-alt-del once and bring up the Task Manager...look for that file in the list of running tasks. If it is there kill it...then you should be able to delete it.
If it isn't there or it won't let you kill it then post back...we have other ways of dealling with such persistant pests.
windigo
09-05-2006, 04:08 PM
Thanks for that info! I'm posting this from my computer (next door) as the Ewido is still scanning my neighbours PC! I will then do the F-Secure bit and post back to you again ..... I could be gone some time!!
windigo
09-06-2006, 08:43 AM
Well, I've managed to delete the file (which had changed to sidru.exe). I ran Ewido yesterday and throughout the evening - it siezed up on both occasions on C:\WINDOWS\system.tmp - I will post another HJT log for you to see if everything's okay .... in the meantime I'll see if the F-Secure scanner will work. SO far the AVG virus alerts haven't popped up so I'm hoping that is good news. There are now 18 viruses in AVG vault.
Logfile of HijackThis v1.99.1
Scan saved at 13:36:25, on 06/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Doug\Desktop\HijackThis\HijackThis1991.ex e
C:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
Budfred
09-06-2006, 08:55 AM
Are you running Ewido in Safe Mode?? If not, do so... If you are, try running CCleaner first to clear out Temp folders....
http://www.ccleaner.com/downloadbuilds.asp
Opt out of the toolbar when installing CCleaner...
windigo
09-06-2006, 08:59 AM
Am back on my own computer again! I was running Ewido in safe mode (on both occasions). Have left my neighbour's computer scanning with F-Secure and will go back there in about an hour's time. I'll run CCleaner when I get back there. I haven't a clue what I'm doing, but thanks for everyone's help so far!! Will be back in about an hour!
windigo
09-06-2006, 12:59 PM
I ran CCleaner successfully.
Ewido has now been running in Safe Mode for the past 2 and a half hours - it seems to be "stuck" again on C:\WINDOWS\system.tmp
The Preview Results so far read as follows:
HIGH PRIORITY
Downloader.Agent.uj
Dialer.AsianRaw.bh
Downloader.Psyme.x
Downloader.Small.ag
Trojan.No.Close.i
Trojan.DNSChanger.ef
Downloader.Small.bg
MEDIUM PRIORITY
Adware.Generic
Adware.CoolWebSearch
Adware.BiSpy
TrackingCookie.Advertising
TrackingCookie.Hitbox
Adware.BarainBuddy
Adware.CashBack
Adware.InternetOptimizer
Adware.ISTBar
Adware.SiteFind
Adware.SaveNow
LOW PRIORITY
Not-A-Virus.Hoax.Win32.Aflact.a
Could you advise what I should do next please? I have left Ewido running. Many thanks.
Budfred
09-06-2006, 07:36 PM
Were you able to complete the F-Secure scan?? What were the results??
If you weren't, see if you can find and delete this file:
C:\WINDOWS\system.tmp
If you can't delete it, we can use another tool to get it... Check Properties and post what you find here... If you can't find it, let us know...
windigo
09-07-2006, 09:21 AM
F-Secure siezed up, the same as Ewido. I've found the system.tmp file and have deleted it now. F-Secure is running again, it's been running for the past 4 hours but will hopefully soon be finished!?!
I guess it'd be better to work on my neighbour's computer in my own house as he works long hours? Only problem is I'm not sure how I'd connect up his internet - we're both on Wanadoo/Orange Broadband. I wouldn't have a clue how to network my computer with his though!
Once F-Secure has finished scanning I'll post the log here.
windigo
09-07-2006, 05:51 PM
I now have the computer at my house. F-Secure was running for 10 hours and still hadn't finished! I've now connected via broadband wireless.
Running Ewido now (in Safe Mode) .... it's been going for nearly 2.5 hours and I'm not sure if it's "stuck" on C:\WINDOWS\system.ini
So far it's showing 111 Infected Objects
197,597 Scanned Objects
Currently Scanning: File System
Pressing Ctrl +Alt +Del shows it's still running so hope it's doing what it's supposed to?
Budfred
09-07-2006, 07:53 PM
It is more likely it is stuck again and that the malware is blocking it... Try a couple of other choices to see if you can break the logjam...
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
windigo
09-07-2006, 08:35 PM
I've run the express scan and no viruses were found. The next scan has been running for about 10 minutes and seems stuck on 246 checked files - would this be normal? The program is still running.
windigo
09-07-2006, 09:31 PM
Dr Web CureIt stopped running. I used ComboFix and it came up with the following message:
Error: The extended attributes are inconsistent.
Budfred
09-07-2006, 09:52 PM
This is not going well... We need to find out what is there to be able to fix it... Try a scan that it will hopefully not block:
Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.
classicsoftware
09-08-2006, 12:11 AM
Have you tried running these in safe mode?
windigo
09-08-2006, 02:10 PM
Here are the results of Silent Runners:
"Silent Runners.vbs", revision 47, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\ATI-CPanel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
"dmkzh.exe" = "C:\WINDOWS\System32\dmkzh.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software, Karlsbad, Germany"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\System32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {HKLM...CLSID} = "ACDWFTHMBPRXY"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csqqk.exe" [null data]
HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
----------I WILL POST THE REMAINDER OF THE LOG IN THE NEXT MESSAGE---------
windigo
09-08-2006, 02:11 PM
-----CONTINUED -------
Default executables:
--------------------
HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
INFECTION WARNING! HKCU\Software\Classes\AutoCADScriptFile\shell\open \command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]
Group Policies [Description]:
-----------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"
Startup items in "Doug" & "All Users" startup folders:
------------------------------------------------------
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"AutoCAD Startup Accelerator" -> shortcut to: "C:\Program Files\Common Files\Autodesk Shared\acstart16.exe" [null data]
"hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Wanadoo Connection Kit" -> shortcut to: "C:\wanadoo\wanadooconnectionkit\atdialler1.exe" ["Wanadoo"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"
-> {HKLM...CLSID} = "SearchToolbar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\{74F1EF9C-A5C6-4C48-8795-0CBB39EA90BF}.dll" [null data]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"
-> {HKLM...CLSID} = "Related Page"
\InProcServer32\(Default) = "C:\WINDOWS\System32\WinNB57.dll" [file not found]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"
-> {HKLM...CLSID} = "SearchToolbar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\{74F1EF9C-A5C6-4C48-8795-0CBB39EA90BF}.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8B68564D-53FD-4293-B80C-993A9F3988EE}" = "Wanadoo"
-> {HKLM...CLSID} = "Wanadoo"
\InProcServer32\(Default) = "C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll" [empty string]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
InCD File System Service, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["AHEAD Software"]
Service de lancement de WlanCfg, Wlancfg, "C:\Program Files\Inventel\Gateway\wlancfg.exe SVC" ["Inventel"]
SmartLinkService, SLService, "slmdmsr.exe" [" "]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monito rs\
hpzlnt07\Driver = "hpzlnt07.dll" ["HP"]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 507 seconds, including 9 seconds for message boxes)
-------------------------------------------------------------------------
Classicsoftware ... I did try running in Safe Mode but had the same results
Budfred
09-08-2006, 07:27 PM
You are going to need to delete some files... Find and delete:
C:\WINDOWS\System32\dmkzh.exe
C:\WINDOWS\System32\{74F1EF9C-A5C6-4C48-8795-0CBB39EA90BF}.dll
C:\WINDOWS\System32\WinNB57.dll (This one may be gone...)
You will probably need to set Windows to show all hidden files/folders...
You will need to use Windows Search to find and delete this... Set it to look in hidden files/folders..
csqqk.exe
If you are comfortable editing the Registry, change the value for this to all "0" (zero)... So change the last number in dword... If you aren't comfortable, we will need to create a Regfix...
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]
If you can't find the files or delete them, we can use other tools... Let us know how it is going and what you were able to do...
And I need to ask... Are you a Buffy Sainte Marie fan??
windigo
09-08-2006, 07:31 PM
I'll try to delete the files now. I'm not sure about editing the Registry!
You've typed "HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]" - what do I do with this please? (Sorry, I'm a novice!!)
windigo
09-08-2006, 07:32 PM
PS: Yes!!!!!! you're the first person ever to know where I found my username! I was horrified when I was told many moons later that a windigo is a cannibal!! Oooerr!
Budfred
09-08-2006, 07:40 PM
PS: Yes!!!!!! you're the first person ever to know where I found my username! I was horrified when I was told many moons later that a windigo is a cannibal!! Oooerr!
I believe the legend is that he was starving and lost with his family and resorted to cannabalism to survive.... This was a common problem in the Northern Plains for the Ojibway and other Native Americans in the area, so taboos were very strong... The Windigo was transformed into a beast by his transgression and was doomed to prey on other humans... At least that is the version I have heard...
As for editing the Registry, I will need help with that one, I know how to do it, but not how to create the Regfix...
windigo
09-08-2006, 07:52 PM
I'm learning about computers AND Native American legends - thanks!
Am looking for those files using Windows Explorer in System 32 - all I have is the Windows "torch" searching on a blank screen! I'll maybe try going in on Safe Mode? Curiouser and curiouser!!
windigo
09-08-2006, 07:57 PM
I had to Ctrl Alt Del the Explorer window - looked at the CPU usage and noticed that something called soundman.exe was busy working away (also InCD). Would these be causing any problems do you think???
Budfred
09-08-2006, 08:41 PM
They shouldn't be, but there it is possible for malware parasites to call their files anything, so it is possible... Try this for those files:
Download Killbox:
http://www.atribune.org/downloads/KillBox.exe
Then copy/paste this list into a Notepad file so that you can access it in Safe Mode... Boot to Safe Mode (tap F8 just before Windows starts loading and select Safe Mode)... Choose the "Delete on reboot" and "End Explorer Shell while Killing file" options... Copy/paste the entire list into the line for the file... It should be able to accept the whole list, but if it doesn't you will need to enter them one at a time... Do not click through to close it out and reboot until they have all been entered... Once they are all entered, click through to kill them...
C:\WINDOWS\System32\dmkzh.exe
C:\WINDOWS\System32\{74F1EF9C-A5C6-4C48-8795-0CBB39EA90BF}.dll
C:\WINDOWS\System32\WinNB57.dll
csqqk.exe
Post back on how it goes...
windigo
09-08-2006, 09:18 PM
I'm afraid it wouldn't allow me to paste all the file names in one go. When I pasted them individually, it came up with the message "PendingFileRenameOperations Registry Data has been Removed by External Process!"
Still can't "see" the contents of system32 - have set the folders on Windows to view all files etc.
Have to get some sleep soon as it's 2.20 am here in the UK. If you could post more instructions that'd be good!! I should be back online again tomorrow at 12.30 pm!
Thanks for all your help so far.
Budfred
09-08-2006, 09:24 PM
That message usually means that the file has already been deleted, but all except that one should be there since they showed up in Silent Runners... We can try a big gun...
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text in bold contained in the code box below to your Clipboard:
Files to delete:
C:\WINDOWS\System32\dmkzh.exe
C:\WINDOWS\System32\{74F1EF9C-A5C6-4C48-8795-0CBB39EA90BF}.dll
C:\WINDOWS\System32\WinNB57.dll
csqqk.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" Paste the text copied to clipboard into this window Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following: Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) On reboot, briefly open a black command window on your desktop, this is normal. After the restart, create a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of avenger.txt into your reply along with a fresh HJT log by using Add/Reply
windigo
09-08-2006, 10:25 PM
Couldn't sleep so am back again!
Have followed your instructions - the computer rebooted but has thrown up the following message!!
"cmd.exe - No Disk
There is no disk in the drive. Please insert a disk into drive \Device\Harddisk1\DR3"
Do I cancel as I haven't a clue what disc it's asking for!
I also had a virus alert from ewidu "Trojan.Small.fb" - I clicked on "heal and quarantine" but can't see what happened to it!
windigo
09-08-2006, 10:35 PM
Have copied and pasted the message so far for you:
The system cannot find the file specified.
Could Not Find C:\avenger\*.reg
1 file(s) copied.
zip warning: C:/backup.zip not found or empty
adding: avenger/avenger.txt (188 bytes security) (deflated 74%)
adding: avenger/backup.reg (188 bytes security) (stored 0%)
adding: avenger/{74F1EF9C-A5C6-4C48-8795-0CBB39EA90BF}.dll (188 bytes security
) (deflated 50%)
----------------------------------------
HJT Scan results
Logfile of HijackThis v1.99.1
Scan saved at 03:31, on 06-09-09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Doug\Desktop\HijackThis\HijackThis1991.ex e
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [iesjyujt] C:\qoyvnpwm.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
Budfred
09-08-2006, 10:36 PM
I am not sure what that means and I would cancel if that is the only other choice you have... I only know of one infection that interferes with Avenger, so please run this:
Download Link:
http://info.prevx.com/download.asp?grab=GROMOZONREMTOOL
It prompts you to download and try the Prevx1 software after you clean the PC and you can just say no....
Budfred
09-08-2006, 10:39 PM
And use HJT to fix this:
O4 - HKLM\..\Run: [iesjyujt] C:\qoyvnpwm.bat
windigo
09-08-2006, 10:40 PM
Cor blimey! I wonder if you're as frustrated with this computer as I am!!
I cancelled and the following report was saved:
Logfile of HijackThis v1.99.1
Scan saved at 03:31, on 06-09-09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Doug\Desktop\HijackThis\HijackThis1991.ex e
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [iesjyujt] C:\qoyvnpwm.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
Should I wait before running the other program??
Budfred
09-08-2006, 10:46 PM
Unfortunately, with the malware the way it is nowadays, this is not that unusual...
I would go ahead with that Prevx program... If my guess is correct, it may break this open... If not, you will have other scans to run... and I will need to ask the auther of Avenger what happened....
windigo
09-08-2006, 10:47 PM
That file's gone now :-( The last HJT scan is:
Logfile of HijackThis v1.99.1
Scan saved at 03:41, on 06-09-09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Doug\Desktop\HijackThis\HijackThis1991.ex e
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
windigo
09-09-2006, 08:31 AM
Prvix result:
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Trojan.Gromozon does not exist - your system is clean.
windigo
09-09-2006, 08:52 AM
I ran Avenger again - still kept asking for Disk 1, 3 and 5! I clicked continue and here is the result.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\vntbqddx
*******************
Script file located at: \??\C:\Program Files\abewuvnc.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\System32\dmkzh.exe not found!
Deletion of file C:\WINDOWS\System32\dmkzh.exe failed!
Could not process line:
C:\WINDOWS\System32\dmkzh.exe
Status: 0xc0000034
File C:\WINDOWS\System32\{74F1EF9C-A5C6-4C48-8795-0CBB39EA90BF}.dll not found!
Deletion of file C:\WINDOWS\System32\{74F1EF9C-A5C6-4C48-8795-0CBB39EA90BF}.dll failed!
Could not process line:
C:\WINDOWS\System32\{74F1EF9C-A5C6-4C48-8795-0CBB39EA90BF}.dll
Status: 0xc0000034
File C:\WINDOWS\System32\WinNB57.dll not found!
Deletion of file C:\WINDOWS\System32\WinNB57.dll failed!
Could not process line:
C:\WINDOWS\System32\WinNB57.dll
Status: 0xc0000034
File csqqk.exe not found!
Deletion of file csqqk.exe failed!
Could not process line:
csqqk.exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Budfred
09-09-2006, 01:45 PM
It is possible that those are just leftover Registry entries and the files are actually gone, since that is what Avenger says and the Prevx tool said that the rootkit isn't there... Maybe mjc will stop by and give you a Regfix to clean those up... :)
How is the system running?? If it seems okay, it probably is...
windigo
09-09-2006, 01:54 PM
Thanks Budfred - fingers crossed, eh?
I think everything's okay apart from when the computer starts up, Windows Installer tries to install something (4 times) unsucessfully I think - maybe something that's not related to this virus. It is running a little more slowly than I'd like, but again, maybe not connected to the virus.
I'll take it that all's okay but will keep watching for replies. Thanks a million for all your help. :)
(You're lucky I didn't start waffling on about Neil Young - another hero of mine!! :D )
Wendy
Budfred
09-09-2006, 02:17 PM
I think everything's okay apart from when the computer starts up, Windows Installer tries to install something (4 times) unsucessfully I think - maybe something that's not related to this virus. It is running a little more slowly than I'd like, but again, maybe not connected to the virus.
What is Windows trying to install?? That sounds suspicious...
windigo
09-09-2006, 02:35 PM
I don't know! Is there somewhere I can look when the computer starts up? I'm wondering whether my neighbour tried to install something in the past but it failed?
Right now I can't think of any 'autoclean' procedure that would work any better than what has been tried to get rid of the entries. So that would mean a manually search and removal of the registry to get the bits and pieces that are left.
Why the programs used didn't get them all is what I'm interested in...
I think, maybe you should try logging out (not restart) and at the login box, login as Administrator and give the antimalware programs another run...it could be that there are restrictions present that are preventing complete removal.
windigo
09-09-2006, 02:51 PM
Thanks mjc. Will do that now.
windigo
09-09-2006, 02:58 PM
Sorry - me again!! Have just started the computer and it's hung whilst trying to load AVG Virus Scanner! I'm thinking I should start it in Safe mode? log in as Administrator and then run the programs?
Budfred
09-09-2006, 03:12 PM
Yeah, go ahead with Safe Mode...
windigo
09-09-2006, 05:09 PM
Will post results of Ewido.
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 21:45:34 09/09/2006
+ Scan result:
C:\Program Files\BullsEye Network -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\2005_05_01.data.zip -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\2005_05_14.data.zip -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\2005_05_21.data.zip -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\2005_05_23.data.zip -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\Uninstall.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\ad.dat -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\bin -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\patch8027.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\BullsEye Network\ub.dat -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\NaviSearch -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\NaviSearch\Uninstall.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\NaviSearch\ad.dat -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\NaviSearch\bin -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\NaviSearch\nls8036.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\NaviSearch\patch8027.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\NaviSearch\ub.dat -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Documents and Settings\DOUGIE\Local Settings\Temp\THI7D6E.tmp\twaintec.dll -> Adware.BiSpy : Cleaned with backup (quarantined).
C:\Program Files\CashBack -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\Uninstall.exe -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\ad.dat -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\bb_auto_wider.swf -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\bb_click_wider.swf -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\bb_welcome.html -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\bb_welcome1.swf -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\bin -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\blank.gif -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\icon.gif -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\logo.gif -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\patch8027.exe -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\template.html -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\template2.html -> Adware.CashBack : Cleaned with backup (quarantined).
C:\Program Files\CashBack\ub.dat -> Adware.CashBack : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{28B8A7F7-8168-4F57-B0D3-810B78F76B85}.exe -> Adware.Casino : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026202.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026204.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026214.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026216.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026220.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026223.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026226.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026227.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026228.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
windigo
09-09-2006, 05:11 PM
Continued -----
---------------------------------------------------------
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026230.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026237.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026240.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026246.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026253.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026254.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026255.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026260.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026269.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026272.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026278.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026279.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026284.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026293.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026294.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026297.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026309.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026313.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026317.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026323.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026324.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026330.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026338.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026345.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026349.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026353.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026354.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026357.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026376.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026377.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026378.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026386.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026387.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026391.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026393.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026397.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026399.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026411.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026412.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026413.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026414.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026418.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026419.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026420.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026421.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026423.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026427.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026437.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026440.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Media-Codec.Chl -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Media-Codec.Chl\CLSID -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer\update -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\ISTbar -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\Program Files\ISTbar\more.bmp -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\Program Files\ISTbar\navnew.bmp -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\Program Files\ISTbar\xml_adultbar.php -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\Program Files\ISTsvc -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinDmy.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{5E100D1D-5044-42D9-BDBC-529F1CF25B2F}.exe -> Adware.Raze : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\MirarSetup.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026176.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\avenger\backup-06-09-09-13.47.27.06.zip/avenger/{74F1EF9C-A5C6-4C48-8795-0CBB39EA90BF}.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\Program Files\SideFind -> Adware.SideFind : Cleaned with backup (quarantined).
C:\Program Files\SideFind\sfexd001 -> Adware.SideFind : Cleaned with backup (quarantined).
C:\Program Files\SideFind\sidefind.dll -> Adware.SideFind : Cleaned with backup (quarantined).
C:\Program Files\SideFind\update -> Adware.SideFind : Cleaned with backup (quarantined).
windigo
09-09-2006, 05:13 PM
Continued --------
C:\Documents and Settings\DOUGIE\Local Settings\Temp\mtree.exe -> Dialer.AsianRaw.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022469.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022481.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022495.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022509.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022525.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022539.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022554.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0023554.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0023572.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0024572.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0024587.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024678.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024694.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024709.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024728.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024732.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024744.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024748.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024752.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024836.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024840.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024854.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024866.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0025866.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0025881.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0025891.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0025969.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0025972.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0025977.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0025989.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026001.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026004.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026018.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026038.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026051.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026056.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026070.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026084.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026096.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026106.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026107.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026112.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026126.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026138.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026142.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026154.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026157.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026169.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026189.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026444.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026456.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026469.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026488.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP129\A0026500.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP129\A0026513.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP129\A0027513.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP129\A0027516.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
windigo
09-09-2006, 05:15 PM
Continued --------
[184] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning.
[208] VM_00C10000 -> Downloader.Agent.uj : Error during cleaning.
[756] VM_007B0000 -> Downloader.Agent.uj : Error during cleaning.
C:\Documents and Settings\DOUGIE\Local Settings\Temporary Internet Files\Content.IE5\WDE3G1YV\count[1].chm -> Downloader.Psyme.x : Cleaned with backup (quarantined).
C:\Documents and Settings\DOUGIE\Local Settings\Temporary Internet Files\Content.IE5\WDE3G1YV\mtrslib2[1].js -> Downloader.Small.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026212.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026335.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026365.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026368.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026424.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026428.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINDOWS\desktop.html -> Not-A-Virus.Hoax.Win32.Aflac.a : Cleaned with backup (quarantined).
C:\Documents and Settings\PATRICIA\Cookies\patricia@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\PATRICIA\Cookies\patricia@servedby.advert ising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\PATRICIA\Cookies\patricia@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\PATRICIA\Cookies\patricia@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Doug\Cookies\doug@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022478.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022492.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022506.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022520.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022536.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022551.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0022562.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0023566.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0023586.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0024584.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP127\A0024599.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024690.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024705.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024722.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0024831.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026222.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026243.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026249.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026318.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026322.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026350.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026383.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026385.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026395.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026405.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026422.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\Documents and Settings\DOUGIE\Local Settings\Temporary Internet Files\Content.IE5\XC8FTPCD\exitpoplight1[1].htm -> Trojan.NoClose.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026205.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026206.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026209.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026215.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026218.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026229.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026234.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026236.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026244.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026250.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026261.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
windigo
09-09-2006, 05:18 PM
Continued -------
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026262.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026263.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026265.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026266.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026270.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026280.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026283.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026285.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026287.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026288.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026296.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026298.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026305.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026308.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026310.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026311.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026312.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026315.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026316.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026319.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026320.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026332.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026343.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026356.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026358.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026369.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026371.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026374.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026388.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026392.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026394.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026396.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026401.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026402.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026406.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026415.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026416.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026417.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026425.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026430.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026432.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026434.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026438.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026439.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026201.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026203.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026208.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026213.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026217.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026221.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026224.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026233.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026235.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026239.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026241.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026242.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026245.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026247.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026251.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026252.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026256.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026257.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026259.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026264.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026267.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
windigo
09-09-2006, 05:18 PM
Continued ---------
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026273.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026274.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026277.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026286.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026289.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026290.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026291.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026300.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026307.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026321.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026326.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026328.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026331.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026339.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026341.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026342.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026346.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026347.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026352.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026355.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026359.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026363.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026364.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026366.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026367.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026370.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026373.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026381.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026382.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026384.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026389.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026390.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026404.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026407.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026410.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026436.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP128\A0026441.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
::Report end
windigo
09-09-2006, 05:20 PM
Logfile of HijackThis v1.99.1
Scan saved at 21:49, on 06-09-09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Doug\Desktop\HijackThis\HijackThis1991.ex e
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
------------------------------------------------
Hope this is looking better?!?!
Um...You need to clean out your System Restore folder. Most of that crap is sitting there in the restore folder. To do this, follow these instructions from Trendmicro...
http://www.trendmicro.com/en/security/advisories/win_me_clean.htm
There was a lot of junk in there.
Was this scan just in Safe Mode or Safe Mode with Admin login?
Budfred
09-09-2006, 05:40 PM
Hope this is looking better?!?!
Quite the opposite... All that stuff shouldn't be there... I am not surprised by the stuff in System Restore, but the rest should have been cleared out a long time ago... Do this... Stay off the internet as much as possible on this computer... Run ComboFix and DrWebCureIt in Safe Mode and go online long enough to run F-Secure again in Normal Mode... Post back the logs... I am concerned that something may be reinstalling the malware and that some has been hidden...
You may even want to talk to the neighbor about doing a complete wipe on this computer and starting over... I can't prove it, but I suspect a rootkit and it may never be safe to use this install again... If may also have already compromised the user's personal info, like account numbers and passwords...
Also, reset System Restore to clean out any other garbage in there... You will need to do that again later, but you can clean out some now to speed up the scans... Do that before the scans... To do that, go to System Properties, put a check in the Turn off System Restore box and click OK.... Then remove the check and click OK....
windigo
09-09-2006, 05:57 PM
Oh dear! Will get to work on that now and probably post back later tonight or tomorrow. I think my neighbour's computer came with XP installed on it and no disc, so not sure how I can do a reinstall.
*thump**thump**thump*
Why did I suspect that...OK, what make/model is it.
It probably has a restore partition, instead of the disks. Often a set of disks can be made from the partition.
windigo
09-09-2006, 06:24 PM
Oi Vay!! Hope I'm looking in the right place ....
AMD Athlon(tm) XP 2800+
2.08 GHz
512 MB of RAM
Windows XP
Home Edition
Verison 2002
Serial Pack 1
Is that what you needed to know??
Close, but not quite everything...is it an HP, Dell, etc?
windigo
09-09-2006, 06:43 PM
Fujitsu Siemens Scaleo 600? would that make any sense? :confused: I'm just running ComboFix on the "other" computer!
Budfred
09-09-2006, 06:50 PM
It looks like that should have come with a restore disk... Did you check with your neighbor??
According to this (http://www.fujitsu-siemens.co.uk/rl/servicesupport/techsupport/consumer/MediaCenter/Scaleo%20600/Scaleo%20600.htm) page there should have been a restore CD included in the package.
So for right now, the wipe/restore option is out. He will either need to try to hunt it down or contact Fujitsu to see about how to get a replacement.
Back to my other question...was that scan in just Safe Mode or Safe Mode/Admin login?
windigo
09-09-2006, 06:54 PM
My neighbour is out with his wife for the night! I'll have to ask him tomorrow morning.
I went into Safe Mode and logged on as Admin for the scan.
Pleased to say that ComboFix has completed and there's a report sitting on the desktop.
Dr Web is now running fine (it didn't before!) and is finding all sorts of stuff! Can't do much else on that computer until it's finished.
Should I still do the F-Secure thing when Dr Web has finished??
Budfred
09-09-2006, 06:56 PM
Yes, please do the F-Secure, but make sure you are in the Admin account... I am still not convinced that there isn't a rootkit in this one...
windigo
09-09-2006, 06:58 PM
Ok, thanks.
Well, one thing for sure, we were hitting permissions problems, probably as a result of the malware.
It is also probably a bit early to say this, but...that machne NEEDS SP2 installed on it...after everything is cleaned up, of course.
When the scans are done, we need to see the results.
windigo
09-09-2006, 07:16 PM
The scan is about half way thru now - then I'll run F-Secure and post results back to you. Looks like another late night for me! I think my neighbour's just arrived home so will go and ask about the CD!
windigo
09-09-2006, 08:33 PM
Scanning has finished - still have F-Secure to run but not sure how to get in as Administrator! I can do this in Safe Mode not in normal.
windigo
09-09-2006, 08:50 PM
Tried Ctrl +Alt +Del twice, typed in Administrator but don't know the password (if one was set at all). I tried without typing a password in and it came up with something like "can't log in because of account restrictions".
I'll probably have to start again later this morning.
Budfred
09-09-2006, 09:06 PM
You can ask the neighbor for the password and he/she can change it after you clean the mess up... Of course, if you wipe the drive and start over, none of that is necessary... You can also try "Administrator" (without the quotes) as a password since that is often it...
If you are still up, you can post the logs that are done so we can get an idea of what is going on...
And if everything is as bad as we thought it was, then he needs to change the Admin password, anyway.
If he answers that he never set one, then I guess we can conclude, that beyond a shadow of a doubt that the machine was compromised...not just by viral/local malware but by a bot/person, too. One of the earmarks of a 'hacked' takeover is the changing of Admin passwords.
windigo
09-10-2006, 05:47 AM
Okay - have seen my neighbour and have the following discs:
Recovery Cd-ROM (XP HE-SP1) :) with instructions on the back too!
OS Systerm Service Pack 2
managed2 Drivers & Utility CD
managed2 WinDVD 4.0 FSC CD
He's given the thumbs up to wipe the system so will wait further instructions from you! In the meantime will post the scan results (couldn't do F-Secure as didn't manage to get in as Administrator!)
windigo
09-10-2006, 05:49 AM
Administrator - 09/09/2006 23:38:11.50
ComboFix 06.09.07 - Running from: C:\Documents and Settings\Doug\Desktop
Microsoft Windows XP [Version 5.1.2600]
((((((((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008/09/2006 ))))))))))))))))))))))))))))))))))
No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))
2013/12/2005 16:23 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2013/12/2005 16:23 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2013/08/2003 14:27 65280 -ra------ C:\WINDOWS\system32\drivers\Rtlnic51.sys
2012/12/2002 01:14 7424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2012/12/2002 01:14 5504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2012/12/2002 01:14 5248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2012/12/2002 01:14 45696 --a------ C:\WINDOWS\system32\drivers\stream.sys
2012/12/2002 01:14 4096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2012/12/2002 01:14 130304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2012/11/2005 19:02 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2012/08/2003 21:34 594432 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2012/06/2003 17:31 75904 -ra------ C:\WINDOWS\system32\drivers\viasraid.sys
2010/05/2005 21:02 15000 --a------ C:\WINDOWS\system32\drivers\winddx.sys
2009/03/2003 21:31 51024 -ra------ C:\WINDOWS\system32\drivers\hpzid412.sys
2009/03/2003 21:31 21456 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2009/03/2003 21:31 16080 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\ATI-CPanel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff, ff,ff,ff,ff,ff,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff, ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff, ff,ff,ff,\
ff,ff,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
Completion time: 09/09/2006 23:41:51.14
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
windigo
09-10-2006, 05:51 AM
777.htm\Script.1;C:\777.htm;VBS.Psyme.243;;
777.htm;C:\;Archive contains infected objects;Moved.;
hol7342859.exe;C:\;Trojan.Dyfuca;Deleted.;
Silent Runners.vbs;C:\Documents and Settings\Doug\Desktop;Probably BATCH.Virus;Incurable.Moved.;
c[1].chm;C:\Documents and Settings\DOUGIE\Local Settings\Temporary Internet Files\Content.IE5\4LKV4B87;Trojan.MulDrop.2331;Inc urable.Moved.;
index[1].chm;C:\Documents and Settings\DOUGIE\Local Settings\Temporary Internet Files\Content.IE5\4LKV4B87;VBS.Psyme;Incurable.Mov ed.;
Zanda.exe;C:\Norman\NVC\BIN;Probably BACKDOOR.Trojan;Incurable.Moved.;
123744.dlr;C:\Program Files\WebSiteViewer;Dialer.Tibs;Deleted.;
A0027563.exe;C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP130;Trojan.DnsChange;Deleted.;
A0027612.exe;C:\System Volume Information\_restore{A772102E-FAE6-411E-95B5-D7E8CFEEB26C}\RP130;Trojan.Dyfuca;Deleted.;
dmbct.exe;C:\WINDOWS\system32;Trojan.DnsChange;Del eted.;
windigo
09-10-2006, 05:57 AM
Sorry - my neighbour didn't know the Admin password. It was a case of buying the PC from a shop and them setting it up for him.
I hope we can wipe everything and start again and I'll set a password for him.
windigo
09-10-2006, 07:33 AM
Okay folks - I'm going to use the instructions from the XP disc and do a new install. I'm going away from home in 2 days time so think it's best I start now. Wish me luck!!
Wendy :eek:
Budfred
09-10-2006, 08:49 AM
Be sure to completely wipe the hard drive before the reinstall... This means removing and recreating partitions, shutting down after the wipe has been done to allow RAM to clear and I would even use a utility to do a multiple lower level wipe by writing random numbers to the disk before proceeding... I have a utility that does that easily, but if you don't, I believe Eraser may do it...
http://www.tolvanen.com/eraser/
After you wipe and power off for a while, the Restore disk should be able to walk you through the reinstall... There will probably be some useless dreck installed, so we can help clear that out when you get to that point...
classicsoftware
09-10-2006, 10:13 AM
Ditto what Budfred said. Download eraser and create a nuke disk. Boot with the disk and wipe the drive.
Shutdown for five minutes.
Boot with restore CD and start over again.
windigo
09-10-2006, 12:51 PM
Aaargh - I read your messages too late!
I went to C:Partition1 NTFS and chose the "quick" option (if that makes sense?) Hope I did right! I've just updated to SP2, downloaded Windows Defender and AVG. Downloaded for updates on Microsoft website too.
I'm still not sure how to change the Administrator's password (or how to get there properly!)
Will stay online on this computer now. Hope I haven't messed things up already!!
Wendy
windigo
09-10-2006, 01:01 PM
Logfile of HijackThis v1.99.1
Scan saved at 18:00:45, on 10/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Doug\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.co.uk/cd_redirects/wanadoohome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157897427140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157902322343
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
Budfred
09-10-2006, 01:21 PM
It is probably fine the way you did it... If you want to be completely safe, start over and do it the way we proposed...
As for the Admin password, that is new each time you wipe and reinstall, so it will be whatever you set it to be, including nothing... I would be a good idea to set it to be something that your neighbor can easily recall, but that hackers are not likely to figure out... A good password looks something like this:
!wntb9PW)
Which says: I want benign password :)
That makes it fairly easy to remember, but difficult to crack...
The HJT log looks pretty good... You need to get a firewall on there ASAP... I suggest the free version of Kerio set to the simple mode.... It is lean and effective... Outpost or ZoneAlarm are other options...
http://www.sunbelt-software.com/Kerio.cfm
windigo
09-10-2006, 01:35 PM
Thanks for that Budfred! I like the password idea too. I'm afraid I'm limited for time at the moment but IF things start looking dodgy again I can come back to your instructions! Will get the Firewall downloaded now too.
I'm not sure what we'd have done without your help (and mjc and classicsoftware too) so THANK YOU!
I'm going to scan my own computer with the programs you've suggested too.
I wonder why on earth these people put the viruses etc on the internet?
Anyway, you've all been brilliant and thanks!
Wendy
Budfred
09-10-2006, 04:05 PM
I wonder why on earth these people put the viruses etc on the internet?That is an easy one... money$$... They use this stuff to steal personal information and rip you off... They get money for advertising hits for all those popups that you hate and don't even look at... They use your computer to extort money from companies by hitting them with denial of service attacks if they don't pay up... They use your computer to distribute SPAM and get paid for each SPAM message that goes out, even if it is deleted by the recipient... They use a number of different ways to make themselves as wealthy as possible with as little work as possible and with no concern about the people they hurt and the destructive effect that their efforts have on the internet... It is all about $$money$$ :mad: :mad:
Anyway... This is my standard speech when things are cleaned up and the article here might help with protecting you and people you help...
Here is my prevention speech to help avoid future infection:
This is a good time to set up protection against further attacks. Read the article linked below about "How did I
get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a
spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very
cautious about any security software that advertises in popups or other intrusive ways, they are not only usually
useless, but also often have malware in them....
http://forums.spywareinfo.com/index.php?showtopic=60955
classicsoftware
09-10-2006, 07:02 PM
I don't know old you are, but if you remember Telephone exchanges, they make great passwords and they are not easy to crack.
My grandparents phone number was 548-6494 but the 548 stands for Livingston 8 so it becomes LI8-6494. Nobody will guess this and it won't be hard for you to remember.
windigo
09-11-2006, 03:27 AM
Classicsoftware - I'm probably old enough to know better :) but yes, I remember the good old days! I always remember an old boyfriend's car registration number from the late 60s so I reckon I'll go with that one!!
Budfred - I honestly hadn't realised how these hackers (whatever you want to call them) can invade your privacy - grrrrrrr! The article is great - so thanks for that!
The computer's running fine now and will be returned "next door" today, with FULL instructions. :)
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.