Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Bloodhound.exploit

Started by teleman , Mar 19 2006 08:22 PM

Please log in to reply

#1
teleman

Posted 19 March 2006 - 08:22 PM

Member

Member
28 posts

Hi Peeps

First of all, apologies for my rusty english - writing you from spain. Got infected with a bloodhound or something cuz i couldnt see much more. The norton antivirus desconected itself and the system started to automatically send out e mails until the computer blackouts. Any time i try to start it in normal mode the process begins again - is a nightmare!. Thats why im writing to you from the laptop. Should i make a hijack this log in safe mode and hand-copy it here?

Any help would be welcome, as all my work, in fact all my life is inside that [bleep] :tazz:

.

long life to the geeks!

#2
didom

Posted 20 March 2006 - 09:43 AM

Member 1K

Member
1,919 posts

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis Download Site

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Do a system scan and save a logfile button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

Bleeping Computer offers a tutorial with screenshots on using HijackThis you can click on the link below:

How to use HijackThis to remove Browser Hijackers, Malware, & Spyware

#3
teleman

Posted 20 March 2006 - 01:59 PM

Member

Topic Starter
Member
28 posts

Hi didom

Thanks for your fast answer. But as i explained in my first entry i cannot start my comp in normal mode (as soon as it ebgins emails get crazy and it blacks out) but only in safe mode - and, i believe, that one gots no internet connection(fortunately i already got a hijackthis but i cannot update it :tazz:

) . Should i make the hijackthis log in safe mode and somehow copy it here, in the laptop where im writing you from?

thanks again for your time

#4
didom

Posted 21 March 2006 - 06:30 AM

Member 1K

Member
1,919 posts

You'll have an internet connection in Safe Mode with Networking:

Reboot Your System in Safe Mode with Networking:

Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode with Networking menu item.
Press the Enter key.

Please open HijackThis and update it too the latest version!

Now please boot back to the "normal" Safe Mode, because in Safe Mode with Networking you're wide open to infection

Reboot Your System in Safe Mode:

Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Start HijackThis and perform a new scan and try to copy it in this thread somehow! :tazz:

#5
teleman

Posted 21 March 2006 - 05:49 PM

Member

Topic Starter
Member
28 posts

Hi Didom

Followed the steps. got the new hijack and handcopy the log here. It took me a while but hopefully, with ur help, it´ll be worthy the effort.

Awaiting new instructions.. :tazz:

.
your faithful dummy

Logfile of hijackthis v1.99.1
Scaved at 17: 22:34, on 21/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer Version!

Running processes:
C.\WINDOWS\System32\smss.exe
C.\WINDOWS\system32\winlogon.exe
C.\WINDOWS\system32\services.exe
C.\WINDOWS\system32\lsass.exe
C.\WINDOWS\system32\svchost.exe
C.\WINDOWS\system32\svchost.exe
C.\WINDOWS\Explorer.exe
C:\Documents and Settings\Acer\Escritorio\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.es/
R1 – HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar ,LinksFolderName = Vinculos
F3 – REG:win.ini: run=C:\WINDOWS\inet20091\services.exe
O2 – BHO: BHO Class – {5321E378-FFAD-4999-8C62-3CA8155F0B3} – C:\ WINDOWS\inet20091\3.02.00.dll
O2 – BHO: ZToolbar Activator Class – {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} – C:\WINDOWS\timon3.dll (file missing)
O3 – Toolbar: Norton AntiVirus – {4sCDD1BF-3FFB-4238-8AD1-7859DF00b1D6} – C:\ Archivos de programa\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: Barra Yahoo! Con bloqueador de ventanas emergentes – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O3 – Toolbar: Search Toolbar – {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\timon3.dll (file missing)
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [o2cd] C:\Archivos de Programa\O2Micro\AudioDJ\o2cd.exe
O4 – HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 – HKLM\..\Run: [HTpatch] C:WINDOWS\htpatch.exe
O4 – HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 – HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\Ati Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [NAV Agent] C:\ARCHIV~1\NORTON~1\navapw32.exe
O4 – HKLM\..\Run: [TkBellExe] “C:Archivos de Programa\Archivos comunes\Real\Update_OB\realsched.exe” -osboot
O4 – HKLM\..\Run: [WinampAgent] “C:\Archivos de Programa\Winamp32\winampa.exe”
O4 – HKLM\..\Run: [zBrowser Launcher] C:\Archivos de Programa\Logitech\iTouch\iTouch.exe
O4 – HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 – HKLM\..\Run: [Symantec Netdriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de Programa\Archivos comunes\Symntec Shared\Security Center\UsrPrmpt.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 – HKLM\..\Run: [Spyware remover] C:\WINDOWS\Remove_spyware.exe
O4 – HKLM\..\Run: [SunJavaUpadteSched] C:\Archivos de Programa\Java\jre1.5.0_03\bin\jusched.exe
O4 – HKLM\..\Run: [iRiver Updater] C:\Archivos de Programa\iRiver\iRiver Manager\Updater\Updater.exe
O4 – HKLM\..\Run: [iTunesHelper] “C:\Archivos de Programa\iTunesHelper.exe”
O4 – HKLM\..\Run: [QuickTime Task] “C:\Archivos de Programa\QuickTime\qttask.exe”-atboottime
O4 – HKLM\..\Run: [xp_system] C:\WINDOWS\inet20091\services.exe
O4 – HKLM\..\Run: [BatSrv] C:\WINDOWS\batserv2.exe
O4 – HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 – HKCU\..\Run: [ATI Remote Control] C:\Archivos de Programa\ATI Multimedia\RemCtrl\ATIX10.exe
O4 – HKCU\..\Run: [ATI Launchpad] “C:\Archivos de Programa\ATI Multimedia\main\launchPd.EXE”
O4 – HKCU\..\Run: [MediaScheduler] C:\Archivos de Programa\ J River\Media Center\Media Scheduler.exe
O4 – HKCU\..\Run: [OM_Monitor] C:\Archivos de Programa\OLYMPUS\OLYMPUS Master\Monitor.exe –NoStart
O4 – HKCU\..\Run: [H/PC Connection Agent] “C:\ARCHIV~1\MICROS~3\wcescomm.exe”
O4 – HKCU\..\Run: [Shell] “C:\Archivos de Programa\Archivos communes\Microsoft Shared\Web Folders\ibm00001.exe”
O4 – HKCU\..\Run: [Windows Update loader] C:\Windows\xpupdate.exe
O4 – HKCU\..\Run: [xp_system] C:\WINDOWS\inet20091\services.exe
O4 – Startup: BitTorrent.lnk = C:\Archivos de programa\BitTorrent\bittorrent.exe
O4 – Global Startup: hpoddt01.xe.lnk = ?
O4 – Global Startup: hp psc 2000 series.lnk = C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA:EXE
O4 – Global Startup: Inicio rapido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 – Extra context menú item: Exportar a Microsoft Excel – res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: Create Mobile Favorite – {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} – C:\ARCHIV~1\_MICROS~3\INetRepl.dll
O9 – Extra button: (no name) – {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} – C:\ARCHIV~1\_MICROS~3\INetRepl.dll
O9 – Extra “Tools” menuitem: Crear un favorito movil… – {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} – C:\ARCHIV~1\_MICROS~3\INetRepl.dll
O9 – Extra button: ATI TV – {44226dff-747e-4edc-b30c-78752e50cd0c} – C:\Archivos de programa\ATI Multimedia\tv\EXPLBAR.DLL
O14 – IERESET.INF: START_PAGE_URL = http://global.acer.com/
O16 – DPF: {03f998b2-0e00-11d3-00104b6eb52e} (MetaStreamCtl Class) – https://components.viewpoint.com\MTSIn...unknown&unknown
O16 – DPF: {0585238b-9ca6-4ccb-a9b2-fe4ba495e880} (AXWebMon Control) – http://www.smilecam....WebMonProjl.cab
O16 – DPF: {0957c19a-d854-482a-a4f9-18856c723d7d} (XNC600NetCam Control) – http://80.38.190.62/XNC600NetCam.cab
O16 – DPF: {0e8d0700-75df-11d3-8b4a-0008c7450c4a} (DjVuCtl Class) – http://www.lizardtec...ntrol_sp_SP.cab
O16 – DPF: {17492023-c23a-453e-a040-c7c580bff700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft....k/?linkid=39204
O16 – DPF: {41f17733-b041-4099-a042-b518bb6a408c} – http://a1540.g.akama...meInstaller.exe
O16 – DPf: {6114512b-b978-451d-a0d8-fcfdf33e833c} (WuWebControl Class) – http://update.micros...b?1123506655906
O16 – DPF: {685bd16b-509f-4521-b4d3-e0cfb75ccc9b} (Dxviewer Control) – http://80.34.10.43:8...nload/dxv25.cab
O16 – DPF: {9a9307a0-7da4-4daf-b042-5009f29e09e1} (ActiveScan Installer Class) – http://www.pandasoft...free/asinst.cab
O16 – DPF: {f54c1137-5e34-4b95-95a5-ba56d4d8d743} (Secure Delivery) – http://www.gamespot....ownload/kdx.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{7fd153a9-3d29-4458-97cd-2f625f38633c}: NameServer = 194.224.52.4,194.224.52.6
O18 – Protocol:msnim –{828030a1-22c1-4009-854f-8e305202313f} – “C:\ARCHIV~1\MSNMES~1\msgrapp.dll (file missing)
O20 – Winlogon Notify: msupdate – C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 – Service: ewido security suite control – ewido networks – C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Archivos de programa\Archivos comunes\InstallShield\Driver\Intel 32\IDriverT.exe
O23 – Service: iPodService – Apple Computer, Inc. – C:\Archivos de programa\iPod\bin\iPodService.exe
O23 – Service: Netropa NHK Server (nhksrv) – Unknown owner – C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 – Service: Pml Driver HPZ12 – HP - C:\WINDOWS\System32\HPZipm12.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 – Service: SymWMI Service (SymWSC) - – Symantec Corporation – C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
O23 – Service: X10 Device Network Service (x10nets) – unknown owner – c:\ARCHIV~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#6
didom

Posted 22 March 2006 - 01:35 PM

Member 1K

Member
1,919 posts

Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode with Networking menu item.
Press the Enter key.

Download Killbox.
Save it to your desktop

Step #2

Reboot Your System in Safe Mode:

Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Step #2

Scan again with HijackThis and check the following items:
R0 ï¿½ HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 ï¿½ HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

F3 ï¿½ REG:win.ini: run=C:\WINDOWS\inet20091\services.exe

O2 ï¿½ BHO: BHO Class ï¿½ {5321E378-FFAD-4999-8C62-3CA8155F0B3} ï¿½ C:\WINDOWS\inet20091\3.02.00.dll
O2 ï¿½ BHO: ZToolbar Activator Class ï¿½ {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} ï¿½ C:\WINDOWS\timon3.dll (file missing)

O3 ï¿½ Toolbar: Search Toolbar ï¿½ {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\timon3.dll (file missing)

O4 ï¿½ HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 ï¿½k
O4 ï¿½ HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 ï¿½ HKLM\..\Run: [Spyware remover] C:\WINDOWS\Remove_spyware.exe
O4 ï¿½ HKLM\..\Run: [xp_system] C:\WINDOWS\inet20091\services.exe
O4 ï¿½ HKLM\..\Run: [BatSrv] C:\WINDOWS\batserv2.exe
O4 ï¿½ HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 ï¿½ HKCU\..\Run: [Windows Update loader] C:\Windows\xpupdate.exe
O4 ï¿½ HKCU\..\Run: [xp_system] C:\WINDOWS\inet20091\services.exe
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #3

Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold part:

C:\WINDOWS\inet20091\services.exe
C:\WINDOWS\inet20091\3.02.00.dll
C:\program files\tvs\tvs_b.exe
C:\WINDOWS\Remove_spyware.exe
C:\WINDOWS\batserv2.exe
C:\WINDOWS\sysvx_.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\inet20091
C:\program files\tvs

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are
present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now (in Normal Mode!?).

Find and delete this folder :
C:\!Killbox <= this folder

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply.

#7
teleman

Posted 22 March 2006 - 08:01 PM

Member

Topic Starter
Member
28 posts

Hi Didom

I believe i followed the steps correctly but there was no luck. as soon as i tried to reboot (after the killbox operation, by the way, i handcopy in the notepad the lines for delete you gave me, then copy it and click in the file menu: paste clipboard as you told me, and all the lines were there except C:\WINDOWS\inet20091\3.02.00.dll, couldnt see it, have i done something wrong there?) into normal mode the nightmare began again. The Norton icon appeared red crossed, then appeared the norton box checking the outgoing emails and the messages saying the emails werent allowed flooded the screen - so i turned off the comp.

two (dummy) questions
a) when starting in safe mode my comp asks me wether i want to start with "acer" (which is my user account) or "administrator". till now i have operated in the acer account, should i do the remove operations in "administrator" (could that be the reason of my sad failure?)
b) as the problem seems related to the norton antivirus and i havent renoved the subscription (in fact i should have removed it a long time ago) wouldn´t it be good to remove everything pertaining the norton thing? would that work? sooy for my complete ignorance

is there anything more we can do? :tazz:

your faithful dummy

#8
didom

Posted 23 March 2006 - 09:30 AM

Member 1K

Member
1,919 posts

Don't worry! We aren't done yet! :help:

when starting in safe mode my comp asks me wether i want to start with "acer" (which is my user account) or "administrator". till now i have operated in the acer account, should i do the remove operations in "administrator" (could that be the reason of my sad failure?)

No, "acer" is just fine!

b) as the problem seems related to the norton antivirus and i havent renoved the subscription (in fact i should have removed it a long time ago) wouldnï¿½t it be good to remove everything pertaining the norton thing? would that work? sooy for my complete ignorance

I don't like the Norton thing myself, so I would recommend uninstalling it :blink:

It won't solve the problems, but it will make your computer much faster probably.

If you decide to uninstall it, do it this way:
Please click: Start--> Control Panel--> Add or Remove Programs--> Uninstall (if found) any instances of:
Norton/Symantec

You need to download another (free) anti virus scanner. I suggest AVG - it's free! :whistling:

AVG Anti-Virus (Free version available) http://www.grisoft.com/

Choose one, instal it, and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

and all the lines were there except C:\WINDOWS\inet20091\3.02.00.dll, couldnt see it, have i done something wrong there?

No, HijackThis deleted that file already!

So you can boot into normal mode (with some troubles though..) ? A HijackThis log from normal mode would be handy!

My advise is to put off your internet connection cable (so the computer can't send any emails) and make a HijackThis log in normal mode. Then transport it to another computer (your laptop?) and copy it here please!

Edited by didom, 23 March 2006 - 09:30 AM.

#9
teleman

Posted 23 March 2006 - 10:12 AM

Member

Topic Starter
Member
28 posts

Hi Didom

Tried to download the AVG antivirus but it says it wont install in safe mode (should i save it in safe mode and install in normal mode now that i know i can work in that mode - thanks to the "take out the internet cable" tip?)

Then i tried to uninstall the norton but it wont do neither - nothing happens after i click the uninstall button.

Fortunately removing the internet cable did work and i was able to made a hijackthis in normal mode. Copied it in a disk and here it is.

your faithful dummy

Logfile of HijackThis v1.99.1
Scan saved at 17:03:49, on 23/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
C:\WINDOWS\htpatch.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ARCHIV~1\NORTON~1\navapw32.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Logitech\MouseWare\system\em_exec.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\WINDOWS\kdx\KHost.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\TrayMon.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
C:\ARCHIV~1\MICROS~3\wcescomm.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\ARCHIV~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Acer\Escritorio\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.es/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [o2cd] C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\ARCHIV~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Archivos de programa\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [MediaScheduler] C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\ARCHIV~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [Shell] "C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Startup: BitTorrent.lnk = C:\Archivos de programa\BitTorrent\bittorrent.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Archivos de programa\ATI Multimedia\tv\EXPLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...unknown
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam....WebMonProj1.cab
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://80.38.190.62/XNC600NetCam.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_sp_SP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123506655906
O16 - DPF: {685BD16B-509F-4521-B4D3-E0CFB75CCC9B} (Dxviewer Control) - http://80.34.10.43:8...nload/dxv25.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FD153A9-3D29-4458-97CD-2F625F38633C}: NameServer = 194.224.52.4,194.224.52.6
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#10
didom

Posted 23 March 2006 - 10:17 AM

Member 1K

Member
1,919 posts

Tried to download the AVG antivirus but it says it wont install in safe mode (should i save it in safe mode and install in normal mode now that i know i can work in that mode - thanks to the "take out the internet cable" tip?)

Yes, please install it in normal mode. Then update the program. Boot back into Safe Mode and run a full scan. Let it quarantine/delete anything it finds.

Then boot back into normal mode.

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido anti-malware it is a free version of the program.

Install ewido security suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Reboot into normal mode.

Then, please run this online virus scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log and the Ewido log in your next reply.

#11
teleman

Posted 23 March 2006 - 03:56 PM

Member

Topic Starter
Member
28 posts

Hi Didom

Did the Avg-anti virus scan in safe omde but it wasnt able to reboot normally. it gave my a blue screen with an error - so i dont know wheter the avg removed everything. After that i wasnt able to restart it in safe mode as any time i tried i gave me the same blue screen. So i did the ewido thing in normal mode and then the panda scan.

Here are my logs & reports:

Logfile of HijackThis v1.99.1
Scan saved at 22:31:01, on 23/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\htpatch.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\kdx\KHost.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\TrayMon.exe
C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
C:\ARCHIV~1\MICROS~3\wcescomm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\rundll32.exe
C:\ARCHIV~1\MICROS~3\rapimgr.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Acer\Escritorio\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.es/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [o2cd] C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Archivos de programa\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [MediaScheduler] C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\ARCHIV~1\MICROS~3\wcescomm.exe"
O4 - Startup: BitTorrent.lnk = C:\Archivos de programa\BitTorrent\bittorrent.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Archivos de programa\ATI Multimedia\tv\EXPLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...unknown
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam....WebMonProj1.cab
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://80.38.190.62/XNC600NetCam.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_sp_SP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123506655906
O16 - DPF: {685BD16B-509F-4521-B4D3-E0CFB75CCC9B} (Dxviewer Control) - http://80.34.10.43:8...nload/dxv25.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FD153A9-3D29-4458-97CD-2F625F38633C}: NameServer = 194.224.52.4,194.224.52.6
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

---------------------------------------------------------
ewido anti-malware - Report de exploración
---------------------------------------------------------

+ Creado en: 21:53:17, 23/03/2006
+ Report-Checksum: 22E4B8CE

+ Scan result:

C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0124598.exe/whAgent.exe -> Adware.WebHancer : Limpio con backup
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128102.dll -> Downloader.CashDeluxe.c : Limpio con backup
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128103.exe -> Logger.Agent.ew : Limpio con backup
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128104.dll -> Logger.Goldun.ik : Limpio con backup
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128105.exe -> Logger.Goldun.ik : Limpio con backup
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128106.dll -> Adware.Ihbo : Limpio con backup
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128107.exe -> Proxy.Small.ec : Limpio con backup

::Fin Report

Incident Status Location

Adware:adware/adsmart Not disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\ot.ico
Adware:adware/shoppingcommunity Not disinfected C:\WINDOWS\SYSTEM32\moconfig.exe
Spyware:spyware/bridge Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\bridge.inf
Adware:adware/secure32 Not disinfected C:\secure32.html
Adware:adware/deskwizz Not disinfected C:\DR140306.exe
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\teller2.chk
Adware:adware/maxifiles Not disinfected C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\InetGet
Adware:adware/emediacodec Not disinfected C:\WINDOWS\SYSTEM32\1024
Adware:adware/cws.yexe Not disinfected C:\WINDOWS\SYSTEM32\services
Potentially unwanted tool:application/mywebsearch Not disinfected C:\ARCHIVOS DE PROGRAMA\MyGlobalSearch
Adware:adware/delfinmedia Not disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DATOS DE PROGRAMA\vidctrl
Adware:adware/toprebates Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:adware/azesearch Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ALTNETDM
Adware:adware/ist.sidefind Not disinfected Windows Registry
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt[.go.com/]
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt[.kinghost.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt[.versiontracker.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt[fe.lea.lycos.es/]
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt[rightmedia.net/]
Virus:Trj/Downloader.ICX Disinfected C:\WINDOWS\system32\vxgame4.exe
Virus:W32/Locksky.CC.worm Disinfected C:\WINDOWS\system32\sysvx.exe
Virus:Trj/Downloader.ICX Disinfected C:\WINDOWS\system32\sysc.exe
Adware:Adware/ShoppingCommunity Not disinfected C:\WINDOWS\system32\moconfig.exe
Hacktool:Rootkit/vxvgfv Not disinfected C:\WINDOWS\system32\vxvgfv.sys
Virus:Trj/Downloader.ICP Disinfected C:\WINDOWS\system32\services\explorer.exe
Dialer:Dialer.CN Not disinfected C:\WINDOWS\Downloaded Program Files\SysWebTelecom.inf
Potentially unwanted tool:Application/PsKill.J Not disinfected C:\WINDOWS\inet20091\killer.exe.bak
Potentially unwanted tool:Application/PsKill.J Not disinfected C:\WINDOWS\inet20091\killer.exe
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt[]
Adware:Adware/ConsumerAlertSystem Not disinfected C:\WinFrgn.exe
Adware:Adware/CWS.Aboutblank Not disinfected C:\nikoxxsp.chm
Virus:VBS/Psyme.X Not disinfected C:\nikoxxsp.chm[1.htm]
Adware:Adware/CWS.Aboutblank Not disinfected C:\nikoxxsp.chm[on-line.exe]
Adware:Adware/BroadcastPC Not disinfected C:\Program Files\tvs\TVSv2.dll
Adware:Adware/BroadcastPC Not disinfected C:\Program Files\tvs\tvs_clean.exe
Adware:Adware/BroadcastPC Not disinfected C:\Program Files\tvs\tvs_re_inst.exe
Adware:Adware/BroadcastPC Not disinfected C:\Program Files\tvs\tvs_ln.exe
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry1.dll
Adware:Adware/SpySheriff Not disinfected C:\Program Files\BraveSentry\BraveSentry2.dll
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry3.dll
Adware:Adware/Deskwizz Not disinfected C:\DR140306.exe

#12
didom

Posted 23 March 2006 - 04:17 PM

Member 1K

Member
1,919 posts

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Scan again with HijackThis and check the following items:
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WinFrgn.exe
C:\nikoxxsp.chm
C:\DR140306.exe
C:\secure32.html
C:\WINDOWS\uniq
C:\WINDOWS\teller2.chk
C:\WINDOWS\SYSTEM32\vx.tll
C:\WINDOWS\SYSTEM32\ot.ico
C:\Program Files\tvs\TVSv2.dll
C:\WINDOWS\system32\vxvgfv.sys
C:\WINDOWS\system32\vxgame4.exe
C:\WINDOWS\inet20091\killer.exe
C:\Program Files\tvs\tvs_ln.exe
C:\WINDOWS\system32\moconfig.exe
C:\WINDOWS\SYSTEM32\moconfig.exe
C:\Program Files\tvs\tvs_clean.exe
C:\WINDOWS\inet20091\killer.exe.bak
C:\Program Files\tvs\tvs_re_inst.exe
C:\WINDOWS\system32\services\explorer.exe
C:\Program Files\BraveSentry\BraveSentry1.dll
C:\Program Files\BraveSentry\BraveSentry2.dll
C:\Program Files\BraveSentry\BraveSentry3.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\bridge.inf
C:\WINDOWS\Downloaded Program Files\SysWebTelecom.inf
C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt

Folders to delete:
C:\Program Files\tvs
C:\WINDOWS\inet20091
C:\WINDOWS\SYSTEM32\1024
C:\WINDOWS\SYSTEM32\services
C:\Program Files\BraveSentry
C:\ARCHIVOS DE PROGRAMA\MyGlobalSearch
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\InetGet
C:\DOCUMENTS AND SETTINGS\ALL USERS\DATOS DE PROGRAMA\vidctrl

Registry keys to delete:
HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ALTNETDM

Programs to launch on reboot:
C:\Documents and Settings\Acer\Escritorio\HijackThis.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

6. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log and the Panda Online Scan log by using Add/Reply

#13
teleman

Posted 23 March 2006 - 06:37 PM

Member

Topic Starter
Member
28 posts

Hi Didom

Things gettig better here :whistling:

. Got a small problem wiht the avenger though - one of the lines where missing (you´ll see in the report). Then run the hijackthis and the panda active scan, Here are the reports:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 1813
Line: HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}

//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jnqqjfee

*******************

Script file located at: \??\C:\Program Files\dqkekujb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WinFrgn.exe deleted successfully.
File C:\nikoxxsp.chm deleted successfully.
File C:\DR140306.exe deleted successfully.
File C:\secure32.html deleted successfully.
File C:\WINDOWS\uniq deleted successfully.
File C:\WINDOWS\teller2.chk deleted successfully.
File C:\WINDOWS\SYSTEM32\vx.tll deleted successfully.
File C:\WINDOWS\SYSTEM32\ot.ico deleted successfully.
File C:\Program Files\tvs\TVSv2.dll deleted successfully.
File C:\WINDOWS\system32\vxvgfv.sys deleted successfully.

File C:\WINDOWS\system32\vxgame4.exe not found!
Deletion of file C:\WINDOWS\system32\vxgame4.exe failed!

Could not process line:
C:\WINDOWS\system32\vxgame4.exe
Status: 0xc0000034

File C:\WINDOWS\inet20091\killer.exe deleted successfully.
File C:\Program Files\tvs\tvs_ln.exe deleted successfully.
File C:\WINDOWS\system32\moconfig.exe deleted successfully.

File C:\WINDOWS\SYSTEM32\moconfig.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\moconfig.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\moconfig.exe
Status: 0xc0000034

File C:\Program Files\tvs\tvs_clean.exe deleted successfully.
File C:\WINDOWS\inet20091\killer.exe.bak deleted successfully.
File C:\Program Files\tvs\tvs_re_inst.exe deleted successfully.

File C:\WINDOWS\system32\services\explorer.exe not found!
Deletion of file C:\WINDOWS\system32\services\explorer.exe failed!

Could not process line:
C:\WINDOWS\system32\services\explorer.exe
Status: 0xc0000034

File C:\Program Files\BraveSentry\BraveSentry1.dll deleted successfully.
File C:\Program Files\BraveSentry\BraveSentry2.dll deleted successfully.
File C:\Program Files\BraveSentry\BraveSentry3.dll deleted successfully.
File C:\WINDOWS\DOWNLOADED PROGRAM FILES\bridge.inf deleted successfully.
File C:\WINDOWS\Downloaded Program Files\SysWebTelecom.inf deleted successfully.
File C:\Documents and Settings\Acer\Datos de programa\Mozilla\Firefox\Profiles\2v5chdcp.default\cookies.txt deleted successfully.
Folder C:\Program Files\tvs deleted successfully.
Folder C:\WINDOWS\inet20091 deleted successfully.
Folder C:\WINDOWS\SYSTEM32\1024 deleted successfully.
Folder C:\WINDOWS\SYSTEM32\services deleted successfully.
Folder C:\Program Files\BraveSentry deleted successfully.
Folder C:\ARCHIVOS DE PROGRAMA\MyGlobalSearch deleted successfully.
Folder C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\InetGet deleted successfully.
Folder C:\DOCUMENTS AND SETTINGS\ALL USERS\DATOS DE PROGRAMA\vidctrl deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ALTNETDM deleted successfully.
Program C:\Documents and Settings\Acer\Escritorio\HijackThis.exe successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 00:33:40, on 24/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Documents and Settings\Acer\Escritorio\HijackThis.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.es/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [o2cd] C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [jqnmnbvl] C:\fhhuiggu.bat
O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Archivos de programa\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [MediaScheduler] C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\ARCHIV~1\MICROS~3\wcescomm.exe"
O4 - Startup: BitTorrent.lnk = C:\Archivos de programa\BitTorrent\bittorrent.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Archivos de programa\ATI Multimedia\tv\EXPLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...unknown
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam....WebMonProj1.cab
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://80.38.190.62/XNC600NetCam.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_sp_SP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123506655906
O16 - DPF: {685BD16B-509F-4521-B4D3-E0CFB75CCC9B} (Dxviewer Control) - http://80.34.10.43:8...nload/dxv25.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FD153A9-3D29-4458-97CD-2F625F38633C}: NameServer = 194.224.52.4,194.224.52.6
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\Acer\Favoritos\Antivirus Test Online.url
Adware:adware/secure32 Not disinfected C:\WINDOWS\secure32.html
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\newname.dat
Adware:adware/cws.yexe Not disinfected C:\WINDOWS\inet20004
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\MYGLOBALSEARCHBAR.SETTINGSPLUGIN
Adware:adware/toprebates Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:adware/azesearch Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected HKEY_CLASSES_ROOT\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193}
Adware:Adware/ConsumerAlertSystem Not disinfected C:\avenger\backup.zip[WinFrgn.exe]
Adware:Adware/CWS.Aboutblank Not disinfected C:\avenger\backup.zip[nikoxxsp.chm]
Virus:VBS/Psyme.X Not disinfected C:\avenger\backup.zip[1.htm]
Adware:Adware/CWS.Aboutblank Not disinfected C:\avenger\backup.zip[on-line.exe]
Adware:Adware/Deskwizz Not disinfected C:\avenger\backup.zip[DR140306.exe]
Adware:Adware/BroadcastPC Not disinfected C:\avenger\backup.zip[TVSv2.dll]
Hacktool:Rootkit/vxvgfv Not disinfected C:\avenger\backup.zip[vxvgfv.sys]
Potentially unwanted tool:Application/PsKill.J Not disinfected C:\avenger\backup.zip[killer.exe]
Adware:Adware/BroadcastPC Not disinfected C:\avenger\backup.zip[tvs_ln.exe]
Adware:Adware/ShoppingCommunity Not disinfected C:\avenger\backup.zip[moconfig.exe]
Adware:Adware/BroadcastPC Not disinfected C:\avenger\backup.zip[tvs_clean.exe]
Potentially unwanted tool:Application/PsKill.J Not disinfected C:\avenger\backup.zip[killer.exe.bak]
Adware:Adware/BroadcastPC Not disinfected C:\avenger\backup.zip[tvs_re_inst.exe]
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\avenger\backup.zip[BraveSentry1.dll]
Adware:Adware/SpySheriff Not disinfected C:\avenger\backup.zip[BraveSentry2.dll]
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\avenger\backup.zip[BraveSentry3.dll]
Dialer:Dialer.CN Not disinfected C:\avenger\backup.zip[SysWebTelecom.inf]
Spyware:Cookie/bravenetA Not disinfected C:\avenger\backup.zip[]

#14
didom

Posted 26 March 2006 - 06:21 AM

Member 1K

Member
1,919 posts

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\newname.dat
C:\WINDOWS\inet20004
C:\WINDOWS\secure32.html
C:\Documents and Settings\Acer\Favoritos\Antivirus Test Online.url

Folders to delete:
C:\WINDOWS\inet20004

Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Classes\MYGLOBALSEARCHBAR.SETTINGSPLUGIN
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193}

Programs to launch on reboot:
C:\Documents and Settings\Acer\Escritorio\HijackThis.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

3. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avengerï¿½s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

4. Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
When you get the Windows dialog asking if you want to install this software, click the "Install" button.
When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log and the online scans logs by using Add/Reply

#15
teleman

Posted 26 March 2006 - 07:47 PM

Member

Topic Starter
Member
28 posts

hi Didom

Here are the reports.

your faithful dummy

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lovtjepj

*******************

Script file located at: \??\C:\WINDOWS\System32\fvkgvhcn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\newname.dat deleted successfully.

Error: C:\WINDOWS\inet20004 is a folder, not a file!
Deletion of file C:\WINDOWS\inet20004 failed!

Could not process line:
C:\WINDOWS\inet20004
Status: 0xc00000ba

File C:\WINDOWS\secure32.html deleted successfully.
File C:\Documents and Settings\Acer\Favoritos\Antivirus Test Online.url deleted successfully.
Folder C:\WINDOWS\inet20004 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Classes\MYGLOBALSEARCHBAR.SETTINGSPLUGIN deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193} deleted successfully.
Program C:\Documents and Settings\Acer\Escritorio\HijackThis.exe successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 01:15:23, on 27/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Acer\Escritorio\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.es/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [o2cd] C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [lbnporec] C:\jofjfiqv.bat
O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Archivos de programa\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [MediaScheduler] C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\ARCHIV~1\MICROS~3\wcescomm.exe"
O4 - Startup: BitTorrent.lnk = C:\Archivos de programa\BitTorrent\bittorrent.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Archivos de programa\ATI Multimedia\tv\EXPLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...unknown
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam....WebMonProj1.cab
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://80.38.190.62/XNC600NetCam.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_sp_SP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123506655906
O16 - DPF: {685BD16B-509F-4521-B4D3-E0CFB75CCC9B} (Dxviewer Control) - http://80.34.10.43:8...nload/dxv25.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FD153A9-3D29-4458-97CD-2F625F38633C}: NameServer = 194.224.52.4,194.224.52.6
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 27, 2006 3:43:22 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 27/03/2006
Kaspersky Anti-Virus database records: 184115
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 65241
Number of viruses found: 20
Number of infected objects: 54
Number of suspicious objects: 0
Duration of the scan process: 00:59:31

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\comdlg64.dll Infected: Rootkit.Win32.Agent.bk skipped
C:\WINDOWS\system32\winsrv32.exe Infected: Trojan-Downloader.Win32.VB.zi skipped
C:\WINDOWS\system32\acciesX2.sys Infected: Trojan-Spy.Win32.Goldun.ik skipped
C:\WINDOWS\system32\winbl32.dll Infected: not-virus:Hoax.Win32.VB.l skipped
C:\WINDOWS\tmp.000 Infected: not-a-virus:AdWare.Win32.CashDeluxe.g skipped
C:\WINDOWS\yod.htm Infected: not-virus:Hoax.Win32.VB.k skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0123577.DLL Infected: Rootkit.Win32.Agent.bk skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0123578.exe Infected: Email-Worm.Win32.Locksky.aj skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0123586.exe Infected: Trojan-Downloader.Win32.agq skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0123587.exe Infected: not-a-virus:RiskTool.Win32.PsKill.j skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0123597.exe Infected: Trojan-Downloader.Win32.agq skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0123606.sys Infected: Backdoor.Win32.Haxdoor.hf skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0123607.sys Infected: Backdoor.Win32.Haxdoor.hf skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0124597.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0124770.dll Infected: Rootkit.Win32.Agent.bk skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0124771.exe Infected: Email-Worm.Win32.Locksky.aj skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0124775.exe Infected: not-a-virus:RiskTool.Win32.PsKill.j skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0124777.exe Infected: Trojan-Downloader.Win32.agq skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1125\A0125787.EXE Infected: Trojan-Downloader.Win32.agq skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1127\A0127827.exe Infected: Trojan-Downloader.Win32.Zlob.v skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1127\A0127828.dll Infected: Virus.Win32.Nsag.a skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1127\A0127829.dll Infected: Virus.Win32.Nsag.a skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1127\A0127830.dll Infected: Virus.Win32.Nsag.a skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1127\A0127831.dll Infected: Virus.Win32.Nsag.a skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1127\A0127832.dll Infected: Virus.Win32.Nsag.a skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1127\A0127833.dll Infected: Virus.Win32.Nsag.a skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128109.exe Infected: Trojan-Downloader.Win32.agq skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128149.exe Infected: Trojan-Downloader.Win32.agq skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128150.exe Infected: Email-Worm.Win32.Locksky.aj skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128151.exe Infected: Trojan-Downloader.Win32.agq skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128232.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128232.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128233.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128233.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128235.dll Infected: not-a-virus:AdWare.MSIL.Broadcap.a skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128236.sys Infected: Trojan-Spy.Win32.Goldun.il skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128237.exe Infected: not-a-virus:RiskTool.Win32.PsKill.j skipped
C:\System Volume Information\_restore{53054E0F-2578-4B91-B357-FF77C9941D95}\RP1128\A0128248.dll Infected: not-a-virus:AdWare.Win32.Broadcap.d skipped
C:\avenger\backup.zip/avenger/secure32.html Infected: Trojan.Win32.Harnig.a skipped
C:\avenger\backup.zip ZIP: infected - 1 skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/WinFrgn.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/WinFrgn.exe Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/nikoxxsp.chm/1.htm Infected: Exploit.HTML.CodeBaseExec skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/nikoxxsp.chm/on-line.exe Infected: Trojan.Win32.Small.bb skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/nikoxxsp.chm Infected: Trojan.Win32.Small.bb skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/DR140306.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/DR140306.exe Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/secure32.html Infected: Trojan.Win32.Harnig.a skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/TVSv2.dll Infected: not-a-virus:AdWare.MSIL.Broadcap.a skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/vxvgfv.sys Infected: Trojan-Spy.Win32.Goldun.il skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/killer.exe Infected: not-a-virus:RiskTool.Win32.PsKill.j skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/killer.exe.bak Infected: not-a-virus:RiskTool.Win32.PsKill.j skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip/avenger/tvs/BPCv2.Plugins.dll Infected: not-a-virus:AdWare.Win32.Broadcap.d skipped
C:\avenger\backup-27.03.2006- 1.06.24,95.zip ZIP: infected - 13 skipped

Scan process completed.

Incident Status Location

Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard31.dat
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\MYGLOBALSEARCHBAR.SETTINGSPLUGIN.1
Adware:adware/toprebates Not disinfected Windows Registry
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Acer\Cookies\acer@mediaplex[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Acer\Cookies\acer@xmts[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Acer\Cookies\acer@fortunecity[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Acer\Cookies\acer@rn11[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Acer\Cookies\acer@tradedoubler[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][1].txt
Spyware:Cookie/ads.tripod.lycos.com Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][2].txt
Spyware:Cookie/Adverserve Not disinfected C:\Documents and Settings\Acer\Cookies\acer@adverserve[1].txt
Spyware:Cookie/ademails Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Acer\Cookies\acer@adtech[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][3].txt
Hacktool:Rootkit/Hxdef.T Not disinfected C:\WINDOWS\system32\acciesX2.sys
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Acer\Cookies\acer@mediaplex[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Acer\Cookies\acer@xmts[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Acer\Cookies\acer@fortunecity[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Acer\Cookies\acer@rn11[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Acer\Cookies\acer@tradedoubler[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][1].txt
Spyware:Cookie/ads.tripod.lycos.com Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][2].txt
Spyware:Cookie/Adverserve Not disinfected C:\Documents and Settings\Acer\Cookies\acer@adverserve[1].txt
Spyware:Cookie/ademails Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Acer\Cookies\acer@adtech[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Acer\Cookies\[email protected][3].txt
Adware:Adware/ConsumerAlertSystem Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[WinFrgn.exe]
Adware:Adware/CWS.Aboutblank Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[nikoxxsp.chm]
Virus:VBS/Psyme.X Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[1.htm]
Adware:Adware/CWS.Aboutblank Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[on-line.exe]
Adware:Adware/Deskwizz Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[DR140306.exe]
Adware:Adware/BroadcastPC Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[TVSv2.dll]
Hacktool:Rootkit/vxvgfv Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[vxvgfv.sys]
Potentially unwanted tool:Application/PsKill.J Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[killer.exe]
Adware:Adware/BroadcastPC Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[tvs_ln.exe]
Adware:Adware/ShoppingCommunity Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[moconfig.exe]
Adware:Adware/BroadcastPC Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[tvs_clean.exe]
Potentially unwanted tool:Application/PsKill.J Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[killer.exe.bak]
Adware:Adware/BroadcastPC Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[tvs_re_inst.exe]
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[BraveSentry1.dll]
Adware:Adware/SpySheriff Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[BraveSentry2.dll]
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[BraveSentry3.dll]
Dialer:Dialer.CN Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[SysWebTelecom.inf]
Spyware:Cookie/bravenetA Not disinfected C:\avenger\backup-27.03.2006- 1.06.24,95.zip[]