I appear to have gotten win32.TrojanDownloader.agent.al. I have run TrojanHunter, Ad-aware, Spybot, MS AntiSpyware, CWShredder, AboutBuster, CleanUp, and our licensed version of Symatec Anti-Virus. (Based on reading this thread:
http://www.geekstogo...ode=linearplus)
MAS continues to give messages like this:
"Microsoft AntiSpyware has detected a Windows service trying to be added. A Windows service is a process or set of processes that adds functionality to Windows by providing support to other programs. Windows services can run without any user interaction and load when the computer starts prior to a user logging in.
Name: addqk.exe"
And this:
"Microsoft AntiSpyware has detected a program trying to add itself to your startup registry. Startup programs are loaded automatically when Windows boots up.
Name: netag.exe
Path: d:\windows\netag.exe
Advise: While this is not a known spyware threat, you might want to analyze this program before either allowing or blocking it."
I block everything I don't recognize.
Yet I still have problems. IE still seems to get hijacked / crashes (using Firefox now), and Windows Explorer only works in safe mode. In normal startup, WE gets an application error (The instruction at "0x00f6d065" referenced memory at "0x00000000". The memory could not be "written". Click on OK to terminate the program Click on CANCEL to debug the program)
Further, Windows Update does not function, and even automatic updates stalls. (Downloads are not being allowed???)
I also ran SFC -scannow, but that was before TrojanHunter, Cleanup, CWShredder, and AboutBuster.
Anyway, I have tried to follow the above thread before posting. Can someone help me?
The AboutBuster and HJT logs are below.
Thanks.
Jason
Scanned at: 12:30:48 PM on: 3/2/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16
Removed Data Streams:
D:\WINDOWS\CDFACE32.INI:zsgoi
D:\WINDOWS\CommCOMP.LST:qswvi
D:\WINDOWS\dasetup.log:goxkx
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16
Removed Data Streams:
D:\WINDOWS\CDFACE32.INI:zsgoi
D:\WINDOWS\CommCOMP.LST:qswvi
D:\WINDOWS\dasetup.log:goxkx
Attempted Clean Of Temp folder.
Pages Reset... Done!
Scanned at: 10:14:50 AM on: 3/14/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25
Removed Data Streams:
D:\WINDOWS\UNZIP.DLL:ssvpi
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25
Removed Data Streams:
D:\WINDOWS\UNZIP.DLL:ssvpi
Attempted Clean Of Temp folder.
Pages Reset... Done!
Logfile of HijackThis v1.99.1
Scan saved at 9:14:41 AM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Microsoft SQL Server\MSSQL$VSdotNET\Binn\sqlservr.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
D:\WINDOWS\system32\NPLSecure.exe
D:\Program Files\Iomega\AutoDisk\ADService.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\Mixer.exe
D:\WINDOWS\System32\dpmw32.exe
D:\Program Files\Iomega\DriveIcons\ImgIcon.exe
D:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\WINDOWS\system32\NWTRAY.EXE
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://zappa/niakwa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://zappa/niakwa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = zappa:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.8.200.47;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {713BB4D3-0B7C-1D3D-8240-26C661FA80FC} - D:\WINDOWS\ipop32.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NDPS] D:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Iomega Startup Options] D:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] D:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] D:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "D:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "D:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [11.tmp] D:\DOCUME~1\jtd\LOCALS~1\Temp\11.tmp.exe 0 10001
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [Aats] D:\Documents and Settings\jtd\Application Data\wsaa.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = D:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS OnLine PLD Reminder Utility.lnk = C:\Program Files\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://D:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098282422453
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C1531DE-E75B-475E-B2ED-15F52FD67BD6}: NameServer = 192.8.200.3,192.8.200.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2391FDF-7F2B-46F3-BB85-061A5F7555D7}: NameServer = 192.8.200.3,192.8.200.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C1531DE-E75B-475E-B2ED-15F52FD67BD6}: NameServer = 192.8.200.3,192.8.200.20
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NPLSecure - Niakwa, Inc. - D:\WINDOWS\system32\NPLSecure.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - D:\Program Files\Iomega\AutoDisk\ADService.exe
Sign In
Create Account
