Logfile of HijackThis v1.99.1[/B]Scan saved at 10:32:27 AM, on 5/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Gravity\RagnarokOnline\ragexe.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapp...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R3 - URLSearchHook: (no name) - {9F5F8043-C1DA-838E-06AA-BF32A5E98C65} - 34763.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gabber] control64.exe
O4 - HKLM\..\Run: [FLKPT] ___.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [prcmon] TorontoMail.exe
O4 - HKCU\..\Run: [ATLIEHELPER] utsgmon.exe
O4 - HKCU\..\Run: [sound64] TForm1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....467&clcid=0x409O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) -
http://gameguard1.le...Crypt/npkcx.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{9F2B1004-38E4-43AD-9D3A-57B11C7E8E75}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
EwidoReport
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:56:31 AM, 5/17/2005
+ Report-Checksum: 92D298F
+ Date of database: 5/17/2005
+ Version of scan engine: v3.0
+ Duration: 33 min
+ Scanned Files: 62920
+ Speed: 31.16 Files/Second
+ Infected files: 9
+ Removed files: 9
+ Files put in quarantine: 9
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\WINDOWS\system32\dmsadmins.exe -> Spyware.Msnagent.a -> Cleaned with backup
C:\WINDOWS\system32\dumpsprep.exe -> TrojanDropper.Small.xl -> Cleaned with backup
C:\WINDOWS\system32\dxiesft.dll -> Spyware.DXiesft -> Cleaned with backup
C:\WINDOWS\system32\ie2cltr.dll -> Spyware.SBSoft.h -> Cleaned with backup
C:\WINDOWS\system32\ipdnssec6.exe -> Trojan.DNSChanger.k -> Cleaned with backup
C:\WINDOWS\system32\mqspbkup.exe -> TrojanDropper.Agent.jd -> Cleaned with backup
C:\WINDOWS\system32\qwinnta.exe -> Spyware.Agent.db -> Cleaned with backup
C:\WINDOWS\system32\sesmgr.exe -> Spyware.Small.fl -> Cleaned with backup
C:\WINDOWS\system32\spmnh.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
::Report End
Active Scan report
Incident Status Location
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\AdultGambling.url
Adware:Adware/GloboSearch No disinfected C:\Program Files\WareOut
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\[bleep] Real Girls.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\XXX personal photos.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\XXX personal photos.url
Spyware:Spyware/WareOut No disinfected C:\Program Files\WareOut\wocount.exe
Spyware:Spyware/WareOut No disinfected C:\WINDOWS\system32\minidrv.exe
Virus:Application/Restart No disinfected C:\WINDOWS\system32\Tools\Restart.exe