Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TROJ VIRMONDO.A and TROJ VB.DC


  • This topic is locked This topic is locked

#1
DonnaZI610

DonnaZI610

    Member

  • Member
  • PipPip
  • 14 posts
Trend Micro found these two files and said they were non-cleanable. Do you know of anything that will clean them off of the computer. I'm on high speed internet all the time so this is a problem. I also have Spyware stormer which seems to maybe delete these files but they are coming back.
  • 0

Advertisements


#2
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.
  • 0

#3
DonnaZI610

DonnaZI610

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here is what it came back with 1 hr and 30 minutes later. 75 viruses.

File C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\windows\system32\okshook.dll tagged as not-a-virus:RiskWare.Proxy.MarketScore.l. No Action Taken.
File C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL infected by "not-a-virus:AdWare.ToolBar.AdvancedSearchBar" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL infected by "not-a-virus:AdWare.ToolBar.AdvancedSearchBar" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "msbb Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "New.net Startup Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\addit.exe infected by "not-a-virus:AdWare.Midadle.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\bargain3.exe infected by "not-a-virus:AdWare.BargainBuddy.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dwcg2.exe infected by "not-a-virus:AdWare.DownloadWare" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\minigolf_affiliate.exe infected by "not-a-virus:AdWare.MetaDirect.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msbb.exe infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_38.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\rgrt.exe infected by "not-a-virus:AdWare.ShopNav.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\salm.exe infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\salmhook.dll infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\WildApp.dll infected by "not-a-virus:AdWare.MetaDirect.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\okshook.dll tagged as not-a-virus:RiskWare.Proxy.MarketScore.l. No Action Taken.
File C:\Program Files\Advanced Searchbar\addtolist.js infected by "not-a-virus:AdWare.ToolBar.AdvancedSearchBar" Virus. Action Taken: No Action Taken.
File C:\Program Files\NewDotNet\newdotnet6_38.dll infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\Program Files\NewDotNet\uninstall6_38.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Open Site\opensite.exe infected by "Trojan-Clicker.Win32.VB.br" Virus. Action Taken: No Action Taken.
File C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates.exe infected by "not-a-virus:AdWare.HelpExpress" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP616\A0014938.dll infected by "not-a-virus:AdWare.Sidesearch.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP616\A0014941.EXE infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP616\A0014942.dll infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP617\A0015081.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP617\A0015082.DLL infected by "not-a-virus:AdWare.ClearSearch.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP617\A0015083.exe infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP617\A0015095.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP617\A0015096.DLL infected by "not-a-virus:AdWare.ClearSearch.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP617\A0015097.exe infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP618\A0015169.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP618\A0015171.DLL infected by "not-a-virus:AdWare.ClearSearch.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP618\A0015172.exe infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP618\A0015234.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP618\A0015238.DLL infected by "not-a-virus:AdWare.ClearSearch.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP618\A0015239.exe infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP622\A0018278.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP622\A0018279.DLL infected by "not-a-virus:AdWare.ClearSearch.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP622\A0018280.exe infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP636\A0018840.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP636\A0018841.DLL infected by "not-a-virus:AdWare.ClearSearch.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP636\A0018842.exe infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP637\A0018863.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP637\A0018864.DLL infected by "not-a-virus:AdWare.ClearSearch.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP637\A0018865.exe infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0019264.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0019266.DLL infected by "not-a-virus:AdWare.ClearSearch.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0019267.exe infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP648\A0020259.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP648\A0020260.DLL infected by "not-a-virus:AdWare.ClearSearch.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP648\A0020261.exe infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP648\A0020275.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP648\A0021275.DLL infected by "not-a-virus:AdWare.ClearSearch.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP648\A0021276.DLL infected by "not-a-virus:AdWare.ClearSearch.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP648\A0021277.exe infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP648\A0021285.DLL infected by "not-a-virus:AdWare.ClearSearch.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP648\A0021287.DLL infected by "not-a-virus:AdWare.ClearSearch.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP665\A0024495.dll infected by "not-a-virus:AdWare.Sidesearch.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{967934BF-9660-4B40-9AC3-8656BEDFE349}\RP357\A0051236.dll infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\updaterInstall_112.exe infected by "Trojan-Downloader.Win32.Keenval" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\addit.exe infected by "not-a-virus:AdWare.Midadle.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\bargain3.exe infected by "not-a-virus:AdWare.BargainBuddy.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dwcg2.exe infected by "not-a-virus:AdWare.DownloadWare" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\minigolf_affiliate.exe infected by "not-a-virus:AdWare.MetaDirect.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msbb.exe infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_38.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\rgrt.exe infected by "not-a-virus:AdWare.ShopNav.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\salm.exe infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\salmhook.dll infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\okshook.dll tagged as not-a-virus:RiskWare.Proxy.MarketScore.l. No Action Taken.
File C:\WINDOWS\WildApp.dll infected by "not-a-virus:AdWare.MetaDirect.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Windows Update Setup Files\searchbarsetup.exe infected by "not-a-virus:AdWare.ToolBar.AdvancedSearchBar" Virus. Action Taken: No Action Taken.
  • 0

#4
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK. Click here to download HijackThis by Merijn Bellekom. Doubleclick the file, click Unzip and extract the application to C:\HijackThis. Run it from there to scan your computer.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Save the log, Ctrl-A to Select All and post it here for examination. Don't fix anything yet as most of what it lists will be harmless.
  • 0

#5
DonnaZI610

DonnaZI610

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:40:55 PM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\windows\system32\rk.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office97\Office\FINDFAST.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Equation\EQNEDT32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wsfcs.k12.nc.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://wsfcs.k12.nc.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activatio...oad/tgctlcm.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mhtml!http://81.9.3.86//sc...id=dp::/win.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail1.wsfcs.k...c.us/iNotes.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webrespo...p/TLIEFlash.CAB
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise....iator/jinit.exe
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com...te/UCSearch.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24....ex/HMAtchmt.ocx
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#6
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
First of all, click the link and follow the instructions to remove New.Net.

http://www.newdotnet.com/removal.html

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mhtml!http://81.9.3.86//sc...id=dp::/win.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com...te/UCSearch.CAB
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab


Exit HijackThis when done. Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Using Windows Explorer, find and delete the following:

C:\Program Files\Advanced Searchbar <-- folder
C:\Program Files\Open Site <-- folder
C:\Program Files\WebSavingsfromEbates <-- folder
C:\updaterInstall_112.exe
C:\WINDOWS\addit.exe
C:\WINDOWS\bargain3.exe
C:\WINDOWS\dwcg2.exe
C:\WINDOWS\minigolf_affiliate.exe
C:\WINDOWS\msbb.exe
C:\WINDOWS\rgrt.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\salmhook.dll
C:\WINDOWS\system32\okshook.dll
c:\windows\system32\rk.exe
C:\WINDOWS\WildApp.dll
C:\WINDOWS\Windows Update Setup Files\searchbarsetup.exe

Exit Explorer and reboot into Normal Mode. Then follow this sequence:

1. Right-click My Computer>Click Properties>Click the System Restore tab>Check the box next to 'Turn off System Restore on all drives'>Click Apply>Click OK.

2. Reboot.

3. Repeat the process but this time remove the check from the box.

Rescan with HijackThis and post a new log here.
  • 0

#7
DonnaZI610

DonnaZI610

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:12:33 PM, on 5/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Microsoft Office97\Office\FINDFAST.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wsfcs.k12.nc.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://wsfcs.k12.nc.us/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activatio...oad/tgctlcm.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail1.wsfcs.k...c.us/iNotes.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webrespo...p/TLIEFlash.CAB
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise....iator/jinit.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24....ex/HMAtchmt.ocx
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#8
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Looks better, how is it running now? Are those two files still showing? Also uninstall Spyware Stormer, see here:

http://www.spywarewa...nti-spyware.htm

There are better products available.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP