Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HJT log help please[RESOLVED]

Started by starman91 , Apr 11 2005 08:14 AM

  • This topic is locked This topic is locked

#1
starman91
Posted 11 April 2005 - 08:14 AM

starman91

    New Member

  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:10:49 AM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\nrozcg.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
O2 - BHO: (no name) - {0044EF6E-7D84-5B7C-8A2A-2A27B0E3BF91} - C:\WINDOWS\System32\bordvflk.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: Microsoft Configuration - {40205287-E793-41AC-B95C-D8D064BA33CA} - C:\WINDOWS\system32\mscfg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsg12.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [Windows USB Support] syscclk.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Microsoft AutoUpdater] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\GOONJA~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezstub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...earch.html?p=ZN
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...97/sdcregie.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPrint 4.0 Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINDOWS\system32\systemspool.dll (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webcam Corp. Service Starter - Unknown owner - C:\Program Files\Webcam\Watchdog\dogsvc.exe




thanks for your help I truly appreciate it... lately I have had lots of problems and this file nail.exe seems to keep trying to run but adwatch blocks it as well as other problems like windows booting up saying its not activated almost every startup. also I adwatch says harmful process identified and when i look at what it says it shows some file r?gedit

I have gone through the recommended stuff stated on this site. I have norton antivirus running all the time providing real time protection and have zone alarm on my computer.

Here is the pandasoft log also:

Incident Status Location

Adware:Adware/ILookup No disinfected C:\Documents and Settings\Goonjan Shah\Local Settings\Temp\II22.exe
Adware:Adware/ILookup No disinfected C:\Documents and Settings\Goonjan Shah\Local Settings\Temporary Internet Files\Content.IE5\QFAF696F\thin_bundlelite[1].exe
Adware:Adware/ILookup No disinfected C:\Documents and Settings\Goonjan Shah\Local Settings\Temporary Internet Files\Content.IE5\QFAF696F\watch_free_porn[1].exe
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Virus:Bck/IRCFlood.V Disinfected C:\Program Files\PestPatrol\Quarantine\20041012121033259.zip[Stdio.dll]
Adware:Adware/MyWebSearch No disinfected C:\Program Files\PestPatrol\Quarantine\20041104173358985.zip[MWSOEPLG.DLL]
Adware:Adware/FunWeb No disinfected C:\Program Files\PestPatrol\Quarantine\20041104173358985.zip[F3SCRCTR.DLL]
Virus:Trj/Qhost.AF Disinfected C:\Program Files\PestPatrol\Quarantine\20050123121323.zip[hosts]
Virus:Trj/Qhost.AF Disinfected C:\Program Files\PestPatrol\Quarantine\20050409124650.zip[hosts]
Adware:Adware/ILookup No disinfected C:\Program Files\PestPatrol\Quarantine\20050409124650.zip[1.exe]
Virus:Trj/Qhost.AF Disinfected C:\Program Files\PestPatrol\Quarantine\20050409154713.zip[hosts]
Possible Virus. No disinfected C:\Program Files\Webcam\Watchdog\aaa.exe
Possible Virus. No disinfected C:\Program Files\Webcam\Watchdog\htdoc\mdl.exe
Possible Virus. No disinfected C:\Program Files\Webcam\Watchdog\htdoc\vlist.exe
Possible Virus. No disinfected C:\Program Files\Webcam\Watchdog\mdl.exe
Possible Virus. No disinfected C:\Program Files\Webcam\Watchdog\vlist.exe
Virus:Trj/Downloader.AEE Disinfected C:\WINDOWS\Downloaded Program Files\counter.inf
Adware:Adware/KeenValue No disinfected C:\WINDOWS\Downloaded Program Files\imloader.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Virus:W32/Dedler.AA.worm Disinfected C:\WINDOWS\system\lsvchost.exe
Virus:Trj/Downloader.ANY Disinfected C:\WINDOWS\system\mssecure.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\bordvflk.dll
Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\system32\c.bat
Virus:W32/Dedler.AE.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\718WSDKK\ftch32b[1].exe
Virus:Trj/Downloader.AQL Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AD7HJRM9\ldrx32c[1].exe
Virus:Trj/Qhost.AA Disinfected C:\WINDOWS\system32\drivers\etc\1.hosts
Virus:Trj/Qhost.AF Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:W32/Dedler.AE.worm Disinfected C:\WINDOWS\system32\ftch32b.exe
Adware:Adware/NSearch No disinfected C:\WINDOWS\system32\in10b6s.dll
Adware:Adware/404Search No disinfected C:\WINDOWS\system32\k404SearchSetup_MS14.exe
Virus:W32/Dedler.R.worm Disinfected C:\WINDOWS\system32\lassa32b.exe
Virus:Bck/Agent.EP Disinfected C:\WINDOWS\system32\lassa32i.exe
Virus:W32/Dedler.AA.worm Disinfected C:\WINDOWS\system32\lassa32j.exe
Virus:Trj/Downloader.AQL Disinfected C:\WINDOWS\system32\ldrx32c.exe
Adware:Adware/BHO No disinfected C:\WINDOWS\system32\mscfg.dll.tcf
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\o
Virus:W32/Sdbot.BVH.worm Disinfected C:\WINDOWS\system32\roba32d.exe
Virus:W32/Dedler.AD.worm Disinfected C:\WINDOWS\system32\roba32e.exe
Virus:Trj/Downloader.ANY Disinfected C:\WINDOWS\system32\roba32f.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\RGEDIT~1.EXE

Edited by starman91, 11 April 2005 - 06:11 PM.

  • 0

Advertisements

#2
Guest_thatman_*
Posted 25 April 2005 - 03:03 PM

Guest_thatman_*
  • Guest
Hi starman91

If your still in need of help post a new hjt.log.

thanks

Kc :tazz:
  • 0

#3
starman91
Posted 11 May 2005 - 04:10 PM

starman91

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
here is my newest log:

Logfile of HijackThis v1.99.1
Scan saved at 6:08:31 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Eyeball\Eyeball Chat\EyeballChat.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
O2 - BHO: (no name) - {0044EF6E-7D84-5B7C-8A2A-2A27B0E3BF91} - C:\WINDOWS\System32\bordvflk.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Microsoft Configuration - {40205287-E793-41AC-B95C-D8D064BA33CA} - C:\WINDOWS\system32\mscfg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsg12.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [Windows USB Support] syscclk.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Microsoft AutoUpdater] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\GOONJA~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezstub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...97/sdcregie.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPrint 4.0 Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINDOWS\system32\systemspool.dll (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webcam Corp. Service Starter - Unknown owner - C:\Program Files\Webcam\Watchdog\dogsvc.exe
  • 0

#4
Guest_thatman_*
Posted 11 May 2005 - 04:46 PM

Guest_thatman_*
  • Guest
Hi starman91

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Use window add remove program file uninstall the following.
C:\Program Files\VBouncer\BundleOuter.EXE
C:\Program Files\Web_Rebates\WebRebates0.exe

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R3 - Default URLSearchHook is missing
O2 - BHO: Microsoft Configuration - {40205287-E793-41AC-B95C-D8D064BA33CA} - C:\WINDOWS\system32\mscfg.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsg12.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\RunServices: [Microsoft AutoUpdater] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezstub.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINDOWS\system32\systemspool.dll (file missing)
Click on Fix Checked when finished and exit HijackThis.


Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\system32\mscfg.dll<--Delete this file
C:\WINDOWS\System32\nsg12.dll<--Delete this file
rsvc32.exe<--Delete this file
Linux.exe<--Delete this file
scvhosting.exe<--Delete this file
C:\Program Files\VBouncer<--Delete the whole folder
C:\Program Files\Web_Rebates<--Delete the whole folder
C:\WINDOWS\bxxs5.dll,DllRun<--Delete this file
svhost.exe<--Delete this file
C:\WINDOWS\ezstub.exe<--Delete this file


If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\Documents and Settings\Goonjan Shah\Local Settings\Temp\II22.exe
C:\Documents and Settings\Goonjan Shah\Local Settings\Temporary Internet Files\Content.IE5\QFAF696F\thin_bundlelite[1].exe
C:\Documents and Settings\Goonjan Shah\Local Settings\Temporary Internet Files\Content.IE5\QFAF696F\watch_free_porn[1].exe
C:\Program Files\AIM\Sysfiles\WxBug.EXE
C:\WINDOWS\Downloaded Program Files\imloader.exe
C:\WINDOWS\Downloaded Program Files\setup4002b.ini
C:\WINDOWS\system32\bordvflk.dll
C:\WINDOWS\system32\in10b6s.dll
C:\WINDOWS\system32\k404SearchSetup_MS14.exe
C:\WINDOWS\system32\mscfg.dll.tcf
C:\WINDOWS\system32\RGEDIT~1.EXE
C:\Program Files\Webcam\Watchdog\aaa.exe
C:\Program Files\Webcam\Watchdog\htdoc\mdl.exe
C:\Program Files\Webcam\Watchdog\htdoc\vlist.exe
C:\Program Files\Webcam\Watchdog\mdl.exe
C:\Program Files\Webcam\Watchdog\vlist.exe

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
starman91
Posted 12 May 2005 - 10:25 AM

starman91

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
O2 - BHO: (no name) - {0044EF6E-7D84-5B7C-8A2A-2A27B0E3BF91} - C:\WINDOWS\System32\bordvflk.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows USB Support] syscclk.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft AutoUpdater] svhost.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\GOONJA~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezstub.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...97/sdcregie.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPrint 4.0 Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINDOWS\system32\systemspool.dll (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webcam Corp. Service Starter - Unknown owner - C:\Program Files\Webcam\Watchdog\dogsvc.exe


Here is the pandasoft log:


Incident Status Location

Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Goonjan Shah\Application Data\oria.exe
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Adware:Adware/MyWebSearch No disinfected C:\Program Files\PestPatrol\Quarantine\20041104173358985.zip[MWSOEPLG.DLL]
Adware:Adware/FunWeb No disinfected C:\Program Files\PestPatrol\Quarantine\20041104173358985.zip[F3SCRCTR.DLL]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Virus:W32/Dedler.AS.worm Disinfected C:\WINDOWS\system\lsass.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\amfnuxatft.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TBUD5RHV\glock[1].jpg
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\cvyvvevxir.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\ekennyhj.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\hlijirgunq.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\jdtdpkoc.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\pawgewmevy.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\RGEDIT~1.EXE
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\ullytxno.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\uoqzyassfj.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\uwin32updt.exe
Virus:W32/Dedler.AS.worm Disinfected C:\WINDOWS\system32\w32dgb.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\xdyshsxzgs.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\znpecqse.exe
  • 0

#6
Guest_thatman_*
Posted 12 May 2005 - 12:33 PM

Guest_thatman_*
  • Guest
Hi starman91

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Use windows add remove program file's uninstall the following.
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\VBouncer\BundleOuter.EXE

Lets see if this will finds any hidden Trojan’s http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate then run a full scan save the log when the scan has finnished.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O2 - BHO: (no name) - {0044EF6E-7D84-5B7C-8A2A-2A27B0E3BF91} - C:\WINDOWS\System32\bordvflk.dll (file missing)
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft AutoUpdater] svhost.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\GOONJA~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezstub.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINDOWS\system32\systemspool.dll (file missing)
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\System32\bordvflk.dll (file missing)
C:\Program Files\VBouncer\BundleOuter.EXE
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\system32\systemspool.dll (file missing)Exit Explorer.Reboot as normal.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\Documents and Settings\Goonjan Shah\Local Settings\Temp\II22.exe
C:\Documents and Settings\Goonjan Shah\Local Settings\Temporary Internet Files\Content.IE5\QFAF696F\thin_bundlelite[1].exe
C:\Documents and Settings\Goonjan Shah\Local Settings\Temporary Internet Files\Content.IE5\QFAF696F\watch_free_porn[1].exe
C:\Program Files\AIM\Sysfiles\WxBug.EXE
C:\Program Files\PestPatrol\Quarantine\20041104173358985.zip[MWSOEPLG.DLL]
C:\Program Files\PestPatrol\Quarantine\20041104173358985.zip[F3SCRCTR.DLL]
C:\Program Files\PestPatrol\Quarantine\20050409124650.zip[1.exe]
C:\WINDOWS\Downloaded Program Files\imloader.exe
C:\WINDOWS\Downloaded Program Files\setup4002b.ini
C:\WINDOWS\system32\bordvflk.dll
C:\WINDOWS\system32\in10b6s.dll
C:\WINDOWS\system32\k404SearchSetup_MS14.exe
C:\WINDOWS\system32\mscfg.dll.tcf
C:\WINDOWS\system32\RGEDIT~1.EXE
C:\WINDOWS\bxxs5.dll,DllRun
Linux.exe
scvhosting.exe
rsvc32.exe
svhost.exe
C:\DOCUME~1\GOONJA~1\LOCALS~1\Temp\djtopr1150.exe
C:\WINDOWS\ezstub.exe
c:\counter.cab

Reboot as normal

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#7
starman91
Posted 13 May 2005 - 08:51 AM

starman91

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

I have done the start in safe mode and removed. However when I reboot to normal they always come back. I tried to remove the files listed, but most of them do not exist, but they always come back and adwatch always seems to stop them from accessing registry when starting up.

Here is the newest log:


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows USB Support] syscclk.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Microsoft AutoUpdater] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] rsvc32.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\GOONJA~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezstub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...97/sdcregie.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPrint 4.0 Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINDOWS\system32\systemspool.dll (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webcam Corp. Service Starter - Unknown owner - C:\Program Files\Webcam\Watchdog\dogsvc.exe

Edited by starman91, 13 May 2005 - 08:52 AM.

  • 0

#8
Guest_thatman_*
Posted 13 May 2005 - 02:53 PM

Guest_thatman_*
  • Guest
Hi starman91

Ad-aware se with Adwatch plus version.

Ad-watch will stop this malware from loading but will also put it back on your computer when you try to remove it.

1. you have some nasty viruses that will only be removed with a anti-virus online scan.
In all my posts to you I have ask you to do the online scans and post the log from them.

If you want to get rid of the infections this will need to be done.

Run the ewido scan and save the log.

Post the ewido scan.log and new HJT.Log

Kc :tazz:
  • 0

#9
Guest_thatman_*
Posted 13 May 2005 - 03:18 PM

Guest_thatman_*
  • Guest
Hi starman91

This is what you are up against.

[Microsoft Update] rsvc32.exe
W32/Rbot-HW is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

scvhosting.exe
W32/Forbot-S spreads to network shares and by exploiting the LSASS (MS04-011)
vulnerability and backdoors opened by other malware.
When run W32/Forbot-S copies itself to the Windows system folder as scvhosting.exe. The worm adds the following registry entries to ensure that the copy is run each time Windows is started.


[Microsoft Update Machine] Linux.exe
File Name : linux.exe
Description: Added by the RBOT-IM WORM!

[Microsoft AutoUpdater] svhost.exe
This worm propagates via network shares. It drops a copy of itself into accessible network shares by logging on using the account of the currently logged user. It may also use a long list of user names and passwords.
This worm also takes advantage of the following known Windows vulnerabilities, malware backdoor capabilities and application to propagate:

djtopr1150.exe
Adware
Name: WebRebates
Version: n/a
Publisher: TopRebates, Inc.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP Risk Impact: High

Ezula
Ezula primarily provides a browser addon that allows you to hold alt + click any word and it searches that term for you. It does help skip a step or two to save some time. I personally use Firefox and have a little google search box in the top right where I can toss something into and quickly search that way. For all of you super lazy people you may want to leave this installed but it will serve ads to you.

Kc :tazz:
  • 0

#10
starman91
Posted 13 May 2005 - 08:01 PM

starman91

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the log file from the online scan:

Incident Status Location

Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]


Here is the log from the Ewido scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:49:34 PM, 5/13/2005
+ Report-Checksum: D59DA07

+ Date of database: 5/13/2005
+ Version of scan engine: v3.0

+ Duration: 186 min
+ Scanned Files: 175777
+ Speed: 15.72 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Goonjan Shah\Cookies\goonjan [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End


Here is the HJT scan log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Eyeball\Eyeball Chat\EyeballChat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows USB Support] syscclk.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\GOONJA~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezstub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...97/sdcregie.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPrint 4.0 Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINDOWS\system32\systemspool.dll (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webcam Corp. Service Starter - Unknown owner - C:\Program Files\Webcam\Watchdog\dogsvc.exe


Should I stop adwatch from starting at boot up?

Thanks
  • 0

Advertisements

#11
Guest_thatman_*
Posted 14 May 2005 - 08:53 AM

Guest_thatman_*
  • Guest
Hi starman91

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Turn of Adwatch starting at boot up.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\GOONJA~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [Microsoft Update] rsvc32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezstub.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINDOWS\system32\systemspool.dll (file missing)
Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\VBouncer<<--Delete the whole folder
C:\Program Files\Web_Rebates<<--Delete the whole folder
C:\WINDOWS\bxxs5.dll,DllRun<--Delete this file
Linux.exe<--Delete this file
C:\DOCUME~1\GOONJA~1\LOCALS~1\Temp\djtopr1150.exe<--Delete this file
rsvc32.exe<--Delete this file
C:\WINDOWS\ezstub.exe<--Delete this file
C:\WINDOWS\system32\systemspool.dll<--Delete this file
Exit Explorer.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#12
starman91
Posted 15 May 2005 - 09:14 PM

starman91

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I am running the virus scan now should be done tonight:

here is the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 11:13:20 PM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Eyeball\Eyeball Chat\EyeballChat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows USB Support] syscclk.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...97/sdcregie.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPrint 4.0 Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINDOWS\system32\systemspool.dll (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webcam Corp. Service Starter - Unknown owner - C:\Program Files\Webcam\Watchdog\dogsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • 0

#13
Guest_thatman_*
Posted 16 May 2005 - 06:55 AM

Guest_thatman_*
  • Guest
Hi starman91

Waiting for your virus scan, post when you are ready

Kc :tazz:
  • 0

#14
starman91
Posted 16 May 2005 - 09:23 AM

starman91

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the virus scan log:

Incident Status Location

Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]


I just added the HJT log also:

Scan saved at 11:31:00 AM, on 5/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Goonjan Shah\Application Data\Mozilla\Profiles\default\s21hhnha.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows USB Support] syscclk.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...97/sdcregie.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPrint 4.0 Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINDOWS\system32\systemspool.dll (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webcam Corp. Service Starter - Unknown owner - C:\Program Files\Webcam\Watchdog\dogsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe




Once again thanks so much for the help.

Edited by starman91, 16 May 2005 - 09:31 AM.

  • 0

#15
Guest_thatman_*
Posted 16 May 2005 - 10:29 AM

Guest_thatman_*
  • Guest
Hi starman91

This item is safe it is used by many Anti-Virus company's and pestpatrol to test there software is working.
C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Congratulations! Your system is CLEAN ;)

Microsoft® Windows AntiSpyware (Beta) 2000 and XP ONLY.
SpyBot Search & Destroy v1.3
Spybot Tutorial
Disable Spybot Tutorial

Winpatrol Free

Ad-Aware SE Personal Edition Free
AdAware Tutorial

Turn of system restore
Disabling or enabling Windows XP System Restore
WIndows ME
Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats.

Kc :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP