Then I clicked the start scan. All options were already checked.
During this scan, it found:
[email protected](1).txt in the Cookies, infection: spyware tracking cookie.
administrator@exitexchange(1).txt in the Cookies, spyware tracking cookie
[email protected](2).txt in Cookies, spyware tracking cookie
[email protected](1).txt
bb.exe in the temp directory TrojanDownloader.Adload.a
SilentInstallW32.exe Spyware.GogoTools.d
Del77B.tmp TrojanDownloader.Small.asf
thnall2c.exe Spyware BetterInternet
thnall2c.exe Spyware BetterInternet
thnall2c.exe Spyware BetterInternet
f238110144.exe Trojan Downloader .Qoologoc.i
f452831.exe Trojan Downloader .Qoologoc.i
f871413.exe
first.exe Spyware.F1Organizer.h
i15.tmp Spyware SurfSide.a
ll3DA.tmp Spyware.Sahat.m
ms14.tmp TrojanDropper.SurfSide.a
ms7D.tmp TrojanDropper.Small.gl
msA.tmp Spyware.F1Organizer.h
msC.tmp
msdioo.exe Trojan.Small.i
ridemarketing-v5.exe TrojanDownloader.Delmed.a
rming.exe
Then I gave up writing this down. Hopefully this will all be in the log file.
When the scan reached 92%, a program error occured. SecuritySuite.e.exe
had generated errors and will be closed by Windows. The mouse locked up.
No response from the keyboard. ctrl-alt-delete did not work. Had to shut down
manually.
When it rebooted, security suite launched during boot and found svcproc.exe
as a Trojan.Stervis.c
As it continued to boot, it found Nail.exe a Trojan.Nail
Then the boot completed.
Restarted the Ewido. It had a summary that it found 331 infections.
Then restarted the scan.
Got to 92percent again was in C:\Program Files\FwBarTemp\searchbar.exe
Same thing, program locks up, mouse locks up, keyboard locks up. Had
to turn off computer.
Still get the svchost.exe generated erros and will be closed.
two dos windows open kmnmak.exe and iptp.exe I click close and computer continues to boot. Active desktop needed to be restored.
Launched ewido. Now it says it has found 567 infected files. Start the scanner again. Finds fsg-ag.exe
The program runs. I try to stop the program at 91.9% but it doesn't want to stop. Then it finds C:\winnt\system32\javex80.vxd a file inside an archive whcih cannot be cleaned. Do you want to delete the whole archive? answered: delete Then security suite again generates errors and must be closed. But this time the machine does not lock up.
Start program again. Now we have 747 infected files found. Program reaches 85% before finding any problem files (Bargainbuddy). Program again generates
errors around 92% and closes but does not lock up. We got two other files inside archives before it stopped.
Restarted program. Now we have found 765 files. This time we reached the end without a crash. Log file saved but only 16 files in the report.
Reboot. Still get the svchost.exe generated errors and will be shut down plus
the two dos windows that have kmnmak.exe and iptp.exe as their title. Clicked close on both and boot continues.
Scan Report from Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 7:50:33 AM, 5/3/2005
+ Report-Checksum: 5CD3C98D
+ Date of database: 5/3/2005
+ Version of scan engine: v3.0
+ Duration: 195 min
+ Scanned Files: 68942
+ Speed: 5.87 Files/Second
+ Infected files: 16
+ Removed files: 16
+ Files put in quarantine: 16
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\WINNT\system32\mac80ex.idf/C:/WINNT/system32/msbe.dll -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\WINNT\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adv.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\WINNT\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adx.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\WINNT\system32\msbe.dll -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\WINNT\system32\msdioo.exe -> Trojan.Small.i -> Cleaned with backup
C:\WINNT\system32\nsj5.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsj71B.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsl3.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsn3.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nso732.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsvsvc\nsv.ocx -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\WINNT\system32\nsvsvc\nsvs.dll -> Spyware.DelphinMedia.f -> Cleaned with backup
C:\WINNT\system32\q17i9a4j.exe -> Spyware.Sahat.o -> Cleaned with backup
C:\WINNT\system32\rhghere.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\WINNT\system32\rtneg2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\unadbeh.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
::Report End
Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 7:59:56 AM, on 5/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
C:\WINNT\system32\wuauclt.exe
C:\Internet Downloads\HiJackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [a4advi41] C:\Program Files\a4advi41\a4advi41.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\kmnmak.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: iptp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uanet.edu
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINNT\system32\dllcache\aysshell.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)
Thanks!