Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijackthis log [RESOLVED]


  • This topic is locked This topic is locked

#16
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Are you having any other problems?
  • 0

Advertisements


#17
epicwolfboy

epicwolfboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
sorry for the late reply
still having problems

Logfile of HijackThis v1.99.1
Scan saved at 7:21:53 PM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoctrl.exe
C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KEW\Desktop\llama\other\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#18
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It would be nice if you told me what kind of problems you're having :tazz:

There is nothing in your log so I need to know what the problems are.
  • 0

#19
epicwolfboy

epicwolfboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
i keep getting messages of attacks from trend micro, ewido, and counter spy.
that theres some activity, virus.
its good that there catching it but just wondering if im still infected. if somethings letting things in.

thanks
  • 0

#20
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Go here:

Kaspersky Web Scanner

The scan is run by ActiveX control. Follow the instructions on the screen (the scan may take a while to run particularly if you are on dial-up). At the end of the scan it will list the infected files, delete ALL of them and let me know what files it found.
  • 0

#21
epicwolfboy

epicwolfboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Sunday, June 19, 2005 12:14:04
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 19/06/2005
Kaspersky Anti-Virus database records: 126829
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 145894
Number of viruses found: 4
Number of infected objects: 80
Number of suspicious objects: 0
Duration of the scan process: 8925 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP939\A0106464.INI:dpwcho:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP939\A0106465.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP940\A0106487.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP940\A0106489.INI:dpwcho:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP940\A0106502.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP940\A0106517.INI:dpwcho:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP941\A0106534.INI:dpwcho:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP941\A0106535.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP942\A0106573.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP942\A0106574.INI:dpwcho:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP942\A0106595.PIF:moreas:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP943\A0106631.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP943\A0106632.INI:dpwcho:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP943\A0106633.PIF:moreas:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP943\A0106633.PIF:unimoq:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP943\A0106650.INI:ikmzwp:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP944\A0106939.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP944\A0106962.PIF:gpixnp:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP944\A0106962.PIF:moreas:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP944\A0106962.PIF:unimoq:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP945\A0106975.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP945\A0106979.INI:dpwcho:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP945\A0106981.PIF:gpixnp:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP945\A0106981.PIF:jsewxj:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP945\A0106981.PIF:moreas:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP945\A0106981.PIF:qyygyc:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP945\A0106981.PIF:unimoq:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP945\A0106981.PIF:xfntwr:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP945\A0106981.PIF:yawgsw:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0107258.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0107260.INI:dpwcho:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109040.PIF:gpixnp:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109040.PIF:jsewxj:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109040.PIF:moreas:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109040.PIF:qyygyc:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109040.PIF:unimoq:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109040.PIF:xfntwr:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109040.PIF:yawgsw:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109042.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109420.INI:dpwcho:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109422.INI:wbvnhx:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109423.INI:dvywuq:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109423.INI:ikmzwp:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109430.ini:okfkty:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109431.prx:yexisk:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:bqctas:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:fqsrxn:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:gpixnp:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:jsewxj:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:moreas:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:qyygyc:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:snxalh:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:unimoq:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:xfntwr:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:yawgsw:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP946\A0109432.PIF:ykujcz:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:bqctas:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:fqsrxn:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:gpixnp:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:jsewxj:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:moreas:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:qyygyc:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:snxalh:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:unimoq:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:xfntwr:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:yawgsw:$DATA Infected: Trojan.Win32.Agent.em
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115069.PIF:ykujcz:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP978\A0115081.dll Infected: Trojan-Downloader.Win32.Small.azf
C:\WINDOWS\atid.ini:avbmr:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\WINDOWS\_DEFAULT.PIF:bqctas:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\WINDOWS\_DEFAULT.PIF:fqsrxn:$DATA Infected: Trojan.Win32.Agent.em
C:\WINDOWS\_DEFAULT.PIF:gpixnp:$DATA Infected: Trojan.Win32.Agent.em
C:\WINDOWS\_DEFAULT.PIF:jsewxj:$DATA Infected: Trojan.Win32.Agent.em
C:\WINDOWS\_DEFAULT.PIF:moreas:$DATA Infected: Trojan.Win32.Agent.em
C:\WINDOWS\_DEFAULT.PIF:qyygyc:$DATA Infected: Trojan.Win32.Agent.em
C:\WINDOWS\_DEFAULT.PIF:snxalh:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\_DEFAULT.PIF:unimoq:$DATA Infected: Trojan.Win32.Agent.em
C:\WINDOWS\_DEFAULT.PIF:xfntwr:$DATA Infected: Trojan.Win32.Agent.em
C:\WINDOWS\_DEFAULT.PIF:yawgsw:$DATA Infected: Trojan.Win32.Agent.em
C:\WINDOWS\_DEFAULT.PIF:ykujcz:$DATA Infected: Trojan-Downloader.Win32.Agent.bq

Scan process completed.
  • 0

#22
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Post another HiJackThis log. What kind of problems are you having now?

Edited by bananafanafo, 19 June 2005 - 01:13 PM.

  • 0

#23
epicwolfboy

epicwolfboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
i keep getting quarenteen messages and am trying to kill all of the infected virus stuff.

Logfile of HijackThis v1.99.1
Scan saved at 4:19:48 PM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoctrl.exe
C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KEW\Desktop\llama\other\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=12047
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Follow these directions again...ALL of them please :tazz: Yes, I know it seems redundant but it obviously did not get everything last time so it needs to be done again. No worries, I still have plenty of tricks up my sleeve to get rid of these buggers.

First, let's get rid of all those viruses hiding out in System Restore:

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

After that's done, Reboot into Safe Mode.

While in Safe Mode:

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run AboutBuster and save the logs
*Browse to where you saved AboutBuster and run AboutBuster.exe.
*Click Start
*Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
*When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
Click "Exit" to exit AboutBuster.

Run CleanUp!
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
Reconfigure Ad-Aware for Full Scan as per the following instructions:
In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

Reboot into normal mode.

Then, please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the log from About:Buster.

Edited by bananafanafo, 19 June 2005 - 04:01 PM.

  • 0

#25
epicwolfboy

epicwolfboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
thanks ill get on it asap.

thank you so much for all of you help, i thank you from the bottom of my cpu
  • 0

Advertisements


#26
epicwolfboy

epicwolfboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Incident Status Location

Adware:Adware/PopCapLoader No disinfected C:\Documents and Settings\KEW\Desktop\llama\other\backups\backup-20050613-190629-263.inf


AboutBuster 5.0 reference file 30
Scan started on [6/13/2005] at [4:43:22 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\CLOCK.AVI:iwswuo
Removed Stream! C:\WINDOWS\COMSETUP.LOG:hgijst
Removed Stream! C:\WINDOWS\COUNTDWN.INI:dpwcho
Removed Stream! C:\WINDOWS\Dc240.inf:shlcog
Removed Stream! C:\WINDOWS\DEBUGSM.INI:wbvnhx
Removed Stream! C:\WINDOWS\DtcInstall.log:zutjjm
Removed Stream! C:\WINDOWS\eReg.dat:qaesyo
Removed Stream! C:\WINDOWS\EXPLORER.SCF:cvwugz
Removed Stream! C:\WINDOWS\EXPLORER.SCF:jbxfaq
Removed Stream! C:\WINDOWS\huyxd.txt:zdcqda
Removed Stream! C:\WINDOWS\ihceb.log:revvfl
Removed Stream! C:\WINDOWS\ImportClient.INI:dvywuq
Removed Stream! C:\WINDOWS\ImportClient.INI:ikmzwp
Removed Stream! C:\WINDOWS\InfModM.ini:blfeyz
Removed Stream! C:\WINDOWS\InfModM.ini:vwqbws
Removed Stream! C:\WINDOWS\KB823182.log:yocbp
Removed Stream! C:\WINDOWS\KB824105.log:bramha
Removed Stream! C:\WINDOWS\KB824105.log:ngrtwi
Removed Stream! C:\WINDOWS\KB835732.log:zvnprv
Removed Stream! C:\WINDOWS\KB837001.log:msledv
Removed Stream! C:\WINDOWS\n35st.dat:ormydf
Removed Stream! C:\WINDOWS\n35st.dat:vzmfnh
Removed Stream! C:\WINDOWS\orun32.ini:rbhdme
Removed Stream! C:\WINDOWS\pqncy.dat:cclwar
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:dplllx
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:euqgwc
Removed Stream! C:\WINDOWS\Q308677.log:bqgndy
Removed Stream! C:\WINDOWS\Q308677.log:iszlj
Removed Stream! C:\WINDOWS\Q309521.log:viwqnh
Removed Stream! C:\WINDOWS\Q311889.log:zgofow
Removed Stream! C:\WINDOWS\Q315000.log:yjhjcu
Removed Stream! C:\WINDOWS\Q315403.log:iducxh
Removed Stream! C:\WINDOWS\Q315403.log:kirplj
Removed Stream! C:\WINDOWS\Q323255.log:jlkcyp
Removed Stream! C:\WINDOWS\Q323255.log:tffvuu
Removed Stream! C:\WINDOWS\Q324096.log:xyywvu
Removed Stream! C:\WINDOWS\Q324380.log:qxqwzk
Removed Stream! C:\WINDOWS\Q329048.log:ffhoku
Removed Stream! C:\WINDOWS\Q329390.log:izkpjg
Removed Stream! C:\WINDOWS\qstag1.dat:jojvqf
Removed Stream! C:\WINDOWS\qstag1.dat:ljkvwb
Removed Stream! C:\WINDOWS\Readme.txt:jeemhs
Removed Stream! C:\WINDOWS\REGLOCS.OLD:dkvaql
Removed Stream! C:\WINDOWS\Rhododendron.bmp:bepzbu
Removed Stream! C:\WINDOWS\Rhododendron.bmp:zvdoxg
Removed Stream! C:\WINDOWS\River Sumida.bmp:ltxbbs
Removed Stream! C:\WINDOWS\Santa Fe Stucco.bmp:swwbzj
Removed Stream! C:\WINDOWS\SchedLgU.Txt:mrfthd
Removed Stream! C:\WINDOWS\SIERRA.INI:xsimdx
Removed Stream! C:\WINDOWS\smscfg.ini:xannls
Removed Stream! C:\WINDOWS\TSOC.LOG:vonheo
Removed Stream! C:\WINDOWS\videoimp.ini:fqqsaa
Removed Stream! C:\WINDOWS\wgedit.ini:okfkty
Removed Stream! C:\WINDOWS\WIN.INI:gkxxva
Removed Stream! C:\WINDOWS\win32.bmp:bgqykq
Removed Stream! C:\WINDOWS\WINNT256.BMP:mabqhd
Removed Stream! C:\WINDOWS\WMSysPr9.prx:kftvmx
Removed Stream! C:\WINDOWS\WMSysPr9.prx:yexisk
Removed Stream! C:\WINDOWS\Zapotec.bmp:bgatpx
Removed Stream! C:\WINDOWS\Zapotec.bmp:vgwgis
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:bshvpn
------------------------------------------------
Removed File! : C:\Windows\addyi.exe
Removed File! : C:\Windows\appzb.exe
Removed File! : C:\Windows\atlgw32.exe
Removed File! : C:\Windows\crol.exe
Removed File! : C:\Windows\cror32.exe
Removed File! : C:\Windows\croz32.exe
Removed File! : C:\Windows\crsi32.exe
Removed File! : C:\Windows\crsz32.exe
Removed File! : C:\Windows\crte.exe
Removed File! : C:\Windows\crtw32.exe
Removed File! : C:\Windows\crua.exe
Removed File! : C:\Windows\cruk32.exe
Removed File! : C:\Windows\crxy32.exe
Removed File! : C:\Windows\d3cb.exe
Removed File! : C:\Windows\d3ee32.exe
Removed File! : C:\Windows\d3gn32.exe
Removed File! : C:\Windows\d3hv.exe
Removed File! : C:\Windows\d3ip32.exe
Removed File! : C:\Windows\d3kw.exe
Removed File! : C:\Windows\d3lz.exe
Removed File! : C:\Windows\d3nf.exe
Removed File! : C:\Windows\d3qj.exe
Removed File! : C:\Windows\d3vu32.exe
Removed File! : C:\Windows\d3wm.exe
Removed File! : C:\Windows\d3zs32.exe
Removed File! : C:\Windows\netet.exe
Removed File! : C:\Windows\wvity.dat
Removed File! : C:\Windows\System32\appdw32.exe
Removed File! : C:\Windows\System32\iebr.exe
Removed File! : C:\Windows\System32\mfcxk32.exe
Removed File! : C:\Windows\System32\netmm32.exe
Removed File! : C:\Windows\System32\ntez32.exe
Removed File! : C:\Windows\System32\tqvhu.dat
Removed File! : C:\Windows\System32\ufhed.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:44:03 PM


AboutBuster 5.0 reference file 30
Scan started on [6/16/2005] at [7:42:46 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Q324380.log:uewair
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:dztkap
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:epkrcc
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:fjcwho
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was ABORTED at 7:49:53 PM


AboutBuster 5.0 reference file 30
Scan started on [6/21/2005] at [11:45:38 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:gildwh
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:heegip
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:isopvl
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:46:18 AM





Logfile of HijackThis v1.99.1
Scan saved at 3:23:33 PM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoctrl.exe
C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoguard.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\KEW\Desktop\llama\other\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\KEW\Desktop\llama\other\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#27
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Looks like About:buster found quite a few files! Hopefuly that will take care of your problem!

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank


Close HiJackThis. Reboot your computer and let me know if you're still getting warnings.
  • 0

#28
epicwolfboy

epicwolfboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
dsnt seem like it. just to be safe i ran complete test everywhere. nothing yet. if so ill post agean. thanks big time. mucho granda

u rock
:tazz:
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're very welcome! I have a couple of recommendations for programs to download to keep stuff from installing on your computer, so hopefully you won't pick up anything new:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.

Edited by bananafanafo, 22 June 2005 - 02:47 PM.

  • 0

#30
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP