Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

hijack this log [CLOSED]

Started by itthigs , Jul 03 2005 10:26 AM

  • This topic is locked This topic is locked

#1
itthigs
Posted 03 July 2005 - 10:26 AM

itthigs

    Member

  • Member
  • PipPip
  • 11 posts
:tazz: ;) ;)


see below for revised log :: :help:

Edited by itthigs, 06 July 2005 - 10:10 AM.

  • 0

Advertisements

#2
kool808
Posted 05 July 2005 - 04:40 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as an Administrator or Staff reviews it I will post a reply. Thank you for your patience.

===============================
We will stick to this topic from now on.

Your other posts were :
http://www.geekstogo...ile-t41353.html
http://www.geekstogo...log-t41354.html
  • 0

#3
kool808
Posted 05 July 2005 - 08:53 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

Logfile of HijackThis v1.99.1
Scan saved at 6:05:45 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


We need this part of the HijackThis. Please revised your post and add that part.
  • 0

#4
itthigs
Posted 06 July 2005 - 06:48 AM

itthigs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
;) thanks for the reply! here is the revised log file thanks again :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 8:46:53 AM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\javaco.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\111997~1\EE\AOLHOS~1.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\wintr32.exe
C:\PROGRA~1\COMMON~1\AOL\111997~1\EE\AOLServiceHost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Napster\NapsterClient-US-3.1.1.4.dat
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\SNDVOL32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DBEFBC94-6EB0-A0C2-A2F9-33402AC42257} - C:\WINDOWS\winvz32.dll
O2 - BHO: Class - {FCD3116C-9591-6C8A-97CE-E9F69CE36729} - C:\WINDOWS\addux.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1119976430\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [wintr32.exe] C:\WINDOWS\wintr32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120411218406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaco.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#5
kool808
Posted 06 July 2005 - 05:17 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

=========================================
There are quite a few programs available that offer protection features to help keep a computer from getting infected. While this is normally a helpful feature, it can keep a you from making the changes necessary to clean you comptuer. You are advised to DISABLE the following Protection Programs:
  • Ewido Guard
=========================================
This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Please read the instructions for About:Buster then download it to a safe location where you can easily remember it.
Please Download the stand-alone version of CoolWebShredder
Download SpSeHjfix HERE
Download Cleanup.

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Reboot in SAFE MODE. (How to boot in Safe Mode...)

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files. Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky Online Scan or if that doesnt work, you can have an On-line scan at this sites:
Trend Micro or Panda Scan or BitDefender.
(Please post the results of the scan(s) in your next reply)

Good Luck!
=====================================
Reboot in Normal Mode.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Reboot in SAFE MODE. (How to boot in Safe Mode...)
===================================================
We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xcxma.dll/sp.html#37049
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {DBEFBC94-6EB0-A0C2-A2F9-33402AC42257} - C:\WINDOWS\winvz32.dll
O2 - BHO: Class - {FCD3116C-9591-6C8A-97CE-E9F69CE36729} - C:\WINDOWS\addux.dll

O4 - HKLM\..\Run: [wintr32.exe] C:\WINDOWS\wintr32.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaco.exe" /s (file missing)

Make sure to double check the items you have selected,then click Fix Checked.
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


Open Ad-Aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save Report
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

===================================
Now we need to do this in Safe Mode.
Reboot again in SAFE MODE. (How to boot in Safe Mode...)
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
    • Party Poker
  • Click Uninstall
  • Confirm with OK
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\PartyPoker
  • C:\WINDOWS\winvz32.dll
  • C:\WINDOWS\addux.dll
  • C:\WINDOWS\wintr32.exe
  • C:\WINDOWS\System32\hookdump.exe
  • C:\WINDOWS\javaco.exe
  • C:\WINDOWS\xcxma.dll/sp.html#37049
Finally, Empty Recycle Bin
=====================================

Let us have a second check.
  • Reboot to Normal Mode.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.

Edited by kool808, 07 July 2005 - 04:26 AM.

  • 0

#6
itthigs
Posted 07 July 2005 - 12:06 PM

itthigs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
:K so far . . . i didn't get an about:buster log . . . I clicked ok at the COMPLETE SUCCESSFULLY at :time: and lost the log. ;)

here is the SpSeHjfix log :tazz: :



(7/7/05 4:37:48 PM) SPSeHjFix started v1.1.2
(7/7/05 4:37:48 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/7/05 4:37:48 PM) Language: english
(7/7/05 4:37:48 PM) Win-Path: C:\WINDOWS
(7/7/05 4:37:48 PM) System-Path: C:\WINDOWS\System32
(7/7/05 4:37:48 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(7/7/05 4:37:57 PM) Disinfection started
(7/7/05 4:37:57 PM) Bad-Dll(IEP): (not found)
(7/7/05 4:37:57 PM) Bad-Dll(IEP) in BHO: (not found)
(7/7/05 4:37:57 PM) UBF: 7 - UBB: 0 - UBR: 17
(7/7/05 4:37:57 PM) UBF: 7 - UBB: 0 - UBR: 17
(7/7/05 4:37:57 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
(7/7/05 4:37:57 PM) Stealth-String not found
(7/7/05 4:37:57 PM) Not infected->END

Here are the Trend Micro results:

Virus Scan
Results:
0 infected file(s) with 0 virus(es) on your computer.

Trojan/Worm Check 1 Worm/Trojan horse detected
What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless progra, it contains malicious cone and once installed can cause damage to your computer.

Results:
We have detected 1 Trojan horse program(s) and worm(s) on your computer.

Trojan/Worm name Trojan/ Worm Type
TROJ LOVEADOT.D Trojan

Spyware Check 3 programs detected

Spyware name Spyware Type

ADW SEARCHAID.A Adware
COOKIE442 Cookie
SPYW SOFTOMATE.A Spyware


Microsoft Vulnerability Check

Results:
We have detected 54 vulnerability/vulnerabilities on your computer

(i tried to make this easy to read, as i could not cut copy and paste and could only save as a .txt file)

the info (i'm guessing your familiar with this but just in case) is listed as such:

Risk Level Issue How to Fix (# link to site
with an indepth explanation)
numbers are at end of paragraph


Microsoft Vulnerability Check54 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 54 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix

CriticalThis vulnerability enables a remote
attacker to execute arbitrary code by creating an
.MP3 or .WMA file that contains a corrupt custom
attribute. This is caused by a buffer overflow in
the Windows Shell function in Microsoft Windows
XP. MS02-072


Highly CriticalThis vulnerability enables local
users to execute arbitrary code through an RPC
call. This is caused by a buffer overflow in the
RPC Locator service for Windows NT 4.0, Windows NT
4.0 Terminal Server Edition, Windows 2000, and
Windows XP. MS03-001


Highly CriticalThis vulnerability enables a remote
attacker to execute arbitrary code through a
WebDAV request to IIS 5.0. This is caused by a
buffer overflow in NTDLL.DLL on Windows NT 4.0,
Windows NT 4.0 Terminal Server Edition, Windows
2000, and Windows XP. MS03-007


Highly CriticalThis vulnerability enables a remote
attacker to execute any file that can be rendered
as text, and be opened as part of a page in
Internet Explorer. MS03-014


CriticalThis vulnerability enables a remote
attacker to cause a denial of service and execute
arbitrary code through a specially formed web page
or HTML e-mail. This is caused by a flaw in the
way the HTML converter for Microsoft Windows
handles a conversion request during a
cut-and-paste operation. MS03-023


Highly CriticalThis vulnerability enables a remote
attacker to execute arbitrary code through a
malformed message. This is caused by a buffer
overflow in certain DCOM interface for RPC in
Microsoft Windows NT 4.0, 2000, XP, and Server
2003. MS03-026


CriticalThis vulnerability enables a remote
attacker to execute arbitrary code through a
specially crafted MIDI file. This is caused by
multiple buffer overflows in a Microsoft Windows
DirectX MIDI library (QUARTZ.DLL). MS03-030


CriticalThis vulnerability could allow a remote
attacker to execute arbitrary code via a malformed
RPC request with a long filename parameter. This
is caused by a heap-based buffer overflow found in
the Distributed Component Object Model (DCOM)
interface in the RPCSS Service.;This vulnerability
could allow a remote attacker to cause a denial of
service attack, which could allow local attackers
to gain privileges via certain messages sent to
the __RemoteGetClassObject interface.;This
vulnerability could allow a remote attacker to
execute arbitrary code via a malformed activation
request packet with modified length fields. This
is caused by a heap-based buffer overflow in the
Distributed Component Object Model (DCOM)
interface in the RPCSS Service.;This vulnerability
could allow a remote attacker to cause a denial of
service attack. This is caused by two threads
processing the same RPC request, which will lead
to its using memory after it has been freed.;This
vulnerability could allow a remote attacker to
cause a denial of service attack via a queue
registration request. This is caused by a buffer
overflow in the Microsoft Message Queue Manager.
MS03-039


Highly CriticalThese vulnerabilities, which are
due to Internet Explorer not properly determining
an object type returned from a Web server in a
popup window or during XML data binding,
respectively, could allow an attacker to run
arbitrary code on a user's system. MS03-040


CriticalThis vulnerability allows a remote
attacker to execute arbitrary code without user
approval. This is caused by the authenticode
capability in Microsoft Windows NT through Server
2003 not prompting the user to download and
install ActiveX controls when system is low on
memory. MS03-041


CriticalThis vulnerability allows a remote
attacker to execute arbitrary code on the affected
system. This is caused of a buffer overflow in the
Messenger Service for Windows NT through Server
2003. MS03-043


ImportantThis vulnerability is due to a buffer
overrun in the ListBox and ComboBox controls found
in User32.dll. Any program that implements the
ListBox control or the ComboBox control could
allow arbitrary code to be executed at the same
privilege level. This vulnerability cannot be
exploited remotely. MS03-045


CriticalThis vulnerability could allow an attacker
to access information from other Web sites, access
files on a user's system, and run arbitrary code
on a user's system, wherein this is executed under
the security context of the currently logged on
user.;This vulnerability could allow an attacker
to save a file on the users system. This is due to
dynamic HTML events related to the drag-and-drop
of Internet Explorer.;This vulnerability, which is
due to the incorrect parsing of URLs which contain
special characters, could allow an attacker to
trick a user by presenting one URL in the address
bar, wherein it actually contains the content of
another web site of the attackers choice.
MS04-004


Highly CriticalThe LSASS vulnerability is a buffer
overrun vulnerability allows remote code
execution.;The LDAP vulnerability is a denial of
service (DoS) vulnerability that causes the
service in a Windows 2000 domain controller
responsible for authenticating users in an Active
Directory domain to stop responding.;The PCT
vulnerability is a buffer overrun vulnerability in
the Private Communications Transport (PCT)
protocol, a part of the SSL library, that allows
remote code execution.;The Winlogon vulnerability
is a buffer overrun vulnerability in the Windows
logon process (winlogon) that allows remote code
execution.;The Metafile vulnerability is a buffer
overrun vulnerability that exists in the rendering
of Windows Metafile (WMF) and Enhanced Metafile
(EMF) image formats.;The Help and Support Center
vulnerability allows remote code execution and is
due to the way Help and Support Center handles HCP
URL validation.;The Utility Manager vulnerability
is a privilege elevation vulnerability that exists
due to the way that Utility Manager launches
applications.;The Windows Management vulnerability
is a privilege elevation vulnerability that when
successfully exploited allows a local attacker to
take complete control of a system by executing
commands at the system privilege level.;The Local
Descriptor Table vulnerability is a privilege
elevation vulnerability that when successfully
exploited allows a local attacker to take complete
control of a system by executing commands at with
system privileges.;The H.323 vulnerability is a
buffer overrun vulnerability that when
successfully exploited can allows attackers to
gain full control of a system by arbitrarily
executing commands with system privileges.;Virtual
DOS Machine vulnerability is a privilege elevation
vulnerability that when successfully exploited
allows a local attacker to gain full control of a
system by executing commands with system
privileges.;The Negotiate SSP vulnerability is a
buffer overrun vulnerability that exists in
Microsoft's Negotiate Security Service Provider
(SSP) interface and allows remote code
execution.;The SSL vulnerability exists due to the
way SSL packets are handled and can causes the
affected systems to stop responding to SSL
connection requests.;The ASN.1 'Double-Free'
vulnerability exists in Microsoft's Abstract
Syntax Notation One (ASN.1) Library and allows
remote code execution at the system privilege
level. MS04-011


CriticalThe RPC Runtime Library vulnerability is a
remote code execution vulnerability that results
from a race condition when the RPC Runtime Library
processes specially crafted messages. An attacker
who successfully exploits this vulnerability could
take complete control of an affected system.;The
RPCSS Service denial of service (DoS)
vulnerability allows a malicious user or malware
to send specially-crafted messages to a vulnerable
system, which causes the RPCSS Service to stop
responding.;The RPC Over HTTP vulnerability may be
used to launch a denial of service (DoS) attack
against a system with CIS or RPC over HTTP Proxy
enabled.;When successfully exploited, the Object
Identity vulnerability allows an attacker to force
currently running applications to open network
communication ports, thereby opening a system to
remote attacks. MS04-012


CriticalThe MHTML URL Processing Vulnerability
allows remote attackers to bypass domain
restrictions and execute arbitrary code via script
in a compiled help (CHM) file that references the
InfoTech Storage (ITS) protocol handlers.This
could allow an attacker to take complete control
of an affected system. MS04-013
CriticalThis vulnerability exists in the Help and
Support Center (HCP) and is due to the way it
handles HCP URL validation. This vulnerability
could allow an attacker to remotely execute
arbitrary code with Local System privileges.
MS04-015


ModerateThis is a denial of service (DoS)
vulnerability. It affects applications that
implement the IDirectPlay4 Application Programming
Interface (API) of Microsoft DirectPlay.
Applications that use this API are typically
network-based multiplayer games.;An attacker who
successfully exploits this vulnerability could
cause the DirectX application to fail while a user
is playing a game. The affected user would then
have to restart the application. MS04-016
ModerateA denial of service (DoS) vulnerability
exists in Outlook Express that could cause the
said program to fail. The malformed email should
be removed before restarting Outlook Express in
order to regain its normal operation. MS04-018
CriticalThis vulnerability lies in an unchecked
buffer within the Task Scheduler component. When
exploited, it allows the attacker to execute
arbitrary code on the affected machine with the
same privileges as the currently logged on user.
MS04-022


CriticalAn attacker who successfully exploits this
vulnerability could gain the same privileges as
that of the currently logged on user. If the user
is logged in with administrative privileges, the
attacker could take complete control of the
system. User accounts with fewer privileges are at
less risk than users with administrative
privileges. MS04-023


CriticalThe Navigation Method Cross-Domain
Vulnerability is a remote execution vulnerability
that exists in Internet Explorer because of the
way that it handles navigation methods. An
attacker could exploit this vulnerability by
constructing a malicious Web page that could
potentially allow remote code execution if a user
visits a malicious Web site.;The Malformed BMP
File Buffer Overrun Vulnerability exists in the
processing of BMP image file formats that could
allow remote code execution on an affected
system.;The Malformed GIF File Double Free
Vulnerability is a buffer overrun vulnerability
that exists in the processing of GIF image file
formats that could allow remote code execution on
an affected system. MS04-025


CriticalThis vulnerability lies in the way the
affected components process JPEG image files. An
unchecked buffer within this process is the cause
of the vulnerability.;This remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. The malicious user
or malware can execute arbitrary code on the
system giving them the ability to install or run
programs and view or edit data with full
privileges. Thus, this vulnerability can
conceivably be used by a malware for replication
purposes. MS04-028


ImportantAn unchecked buffer exists in the NetDDE
services that could allow remote code execution.
An attacker who is able to successfully exploit
this vulnerability is capable of gaining complete
control over an affected system. However, the
NetDDe services are not automatically executed,
and so would then have to be manually started for
an attacker to exploit this vulnerability. This
vulnerability also allows attackers to perform a
local elevation of privilege, or a remote denial
of service (DoS) attack. MS04-031


CriticalThis cumulative release from Microsoft
covers four newly discovered vulnerabilities:
Windows Management Vulnerability, Virtual DOS
Machine Vulnerability, Graphics Rendering Engine
Vulnerability, and Windows Kernel Vulnerability.
MS04-032


CriticalThis is another privately reported
vulnerability about Windows Compressed Folders.
There is vulnerability on the way that Windows
processes Compressed (Zipped) Folders that could
lead to remote code execution. Windows can not
properly handle the extraction of the ZIP folder
with a very long file name. Opening a specially
crafted compressed file, a stack-based overflow
occurs, enabling the remote user to execute
arbitrary code. MS04-034


CriticalThis security bulletin focuses on the
following vulnerabilities: Shell Vulnerability
(CAN-2004-0214), and Program Group Converter
Vulnerability (CAN-2004-0572). Shell vulnerability
exists on the way Windows Shell launches
applications that could enable remote malicious
user or malware to execute arbitrary code.
Windows Shell function does not properly check the
length of the message before copying to the
allocated buffer. Program Group Converter is an
application used to convert Program Manager Group
files that were produced in Windows 3.1, Windows
3.11, Windows for Workgroups 3.1, and Windows for
Workgroups 3.11 so that they can still be used by
later operating systems. The vulnerability lies in
an unchecked buffer within the Group Converter
Utility. MS04-037


CriticalThis is a remote code execution
vulnerability that exists in the Internet
Explorer. It allows remote code execution on an
affected system. An attacker could exploit this
vulnerability by constructing a malicious Web
Page. The said routine could allow remote code
execution if a user visited a malicious Web site.
An attacker who successfully exploited this
vulnerability could take complete control of an
affected system. However, significant user
interaction is required to exploit this
vulnerability. MS04-038


CriticalThis security update addresses and
resolves a vulnerability in Internet Explorer that
could allow remote code execution. A Web page can
be crafted to exploit this vulnerability such that
an arbitrary application can be executed on
visiting systems with the same priviledge as the
currently logged on user. MS04-040


ImportantThis security advisory explains the two
discovered vulnerabilities in Microsoft Word for
Windows 6.0 Converter, which is used by WordPad in
converting Word 6.0 to WordPad file format. Once
exploited, this remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. MS04-041


CriticalA remote code execution vulnerability
exists in HyperTerminal because of a buffer
overrun. If a user is logged on with administrator
privileges, an attacker could exploit the
vulnerability by constructing a malicious
HyperTerminal session file that could potentially
allow remote code execution and then persuade a
user to open this file. This malicious file may
enable the attacker to gain complete control of
the affected system. This vulnerability could also
be exploited through a malicious Telnet URL if
HyperTerminal had been set as the default Telnet
client. MS04-043


ImportantThis security update addresses and
resolves two windows vulnerabilites, both of which
may enable the current user to take control of the
affected system. Both of these vulnerabilites
require that the curernt user be able to log on
locally and execute programs. They cannot be
exploited remotely, or by anonymous users. A
privilege elevation vulnerability exists in the
way that the Windows Kernel launches applications.
This vulnerability could allow the current user to
take complete control of the system. A privilege
elevation vulnerability exists in the way that the
LSASS validates identity tokens. This
vulnerability could allow the current user to take
complete control of the affected system. MS04-044
CriticalThis update resolves a newly-discovered,
publicly reported vulnerability. A vulnerability
exists in the HTML Help ActiveX control in Windows
that could allow information disclosure or remote
code execution on an affected system. MS05-001


CriticalThis update resolves several
newly-discovered, privately reported and public
vulnerabilities. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system,
install programs, view, change, or delete data, or
create new accounts that have full privileges.
MS05-002


ImportantThis update resolves a newly-discovered,
privately reported vulnerability. An attacker who
successfully exploited this vulnerability could
take complete control of an affected system. An
attacker could then install programs, view,
change, or delete data, or create new accounts
with full privileges. While remote code execution
is possible, an attack would most likely result in
a denial of service condition. MS05-003


ImportantA vulnerability in ASP.NET allows an
attacker to bypass the security of an ASP.NET Web
site, and access a machine. The attacker gains
unauthorized access to some areas of the said Web
site, and is able to control it accordingly. The
actions that the attacker could take would depend
on the specific content being protected. MS05-004
ImportantThis is an information disclosure
vulnerability. An attacker who successfully
exploits this vulnerability could remotely read
the user names for users who have an open
connection to an available shared resource.
MS05-007


ImportantThis remote code execution vulnerability
exists in the way Windows handles drag-and-drop
events. An attacker could exploit the
vulnerability by constructing a malicious Web page
that could potentially allow an attacker to save a
file on the users system if a user visited a
malicious Web site or viewed a malicious e-mail
message. MS05-008



CriticalThis remote code execution vulnerability
exists in Server Message Block (SMB). It allows an
attacker who successfully exploits this
vulnerability to take complete control of the
affected system. MS05-011


CriticalThis privilege elevation vulnerability
exists in the way that the affected operating
systems and programs access memory when they
process COM structured storage files. This
vulnerability could grant a currently logged-on
user to take complete control of the system.;This
remote code execution vulnerability exists in OLE
because of the way that it handles input
validation. An attacker could exploit the
vulnerability by constructing a malicious document
that could potentially allow remote code
execution. MS05-012


CriticalThis vulnerability exists in the DHTML
Editing Component ActiveX Control. This
vulnerability could allow information disclosure
or remote code execution on an affected system.
MS05-013


CriticalThis update resolves known vulnerabilities
affecting Internet Explorer. An attacker who
successfully exploits these vulnerabilities could
take complete control of an affected system. An
attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. MS05-014


CriticalA remote code execution vulnerability
exists in the Hyperlink Object Library. This
problem exists because of an unchecked buffer
while handling hyperlinks. An attacker could
exploit the vulnerability by constructing a
malicious hyperlink which could potentially lead
to remote code execution if a user clicks a
malicious link within a Web site or e-mail
message. MS05-015


ImportantA remote code execution vulnerability
exists in the Windows Shell because of the way
that it handles application association. If a user
is logged on with administrative privileges, an
attacker who successfully exploited this
vulnerability could take complete control of the
affected system. However, user interaction is
required to exploit this vulnerability. MS05-016


ImportantThis security bulletin resolves
newly-discovered, privately-reported
vulnerabilities affecting Windows. An attacker who
successfully exploited the most severe of these
vulnerabilities could take complete control of an
affected system. An attacker could then install
programs; view, change, or delete data; or create
new accounts with full user rights. MS05-018


CriticalThis security bulletin resolves newly
discovered, privately-reported vulnerabilities
affecting Windows. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system.
An attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. However, an attacker who
successfully exploited the most severe of these
vulnerabilities would most likely cause the
affected system to stop responding. MS05-019


CriticalThis security bulletin resolves three
newly-discovered, privately-reported
vulnerabilities affecting Internet Explorer. If a
user is logged on with administrative user rights,
an attacker who successfully exploited any of
these vulnerabilities could take complete control
of an affected system. An attacker could then
install programs; view, change, or delete data; or
create new accounts with full user rights.
MS05-020

CriticalThis security bulletin resolves the
following vulnerabilities affecting Internet
Explorer.; The PNG Image Rendering Memory
Corruption vulnerability could allow an attacker
to execute arbitrary code on the system because of
a vulnerability in the way Internet Explorer
handles PNG images.; The XML Redirect Information
Disclosure vulnerability could allow an attacker
to read XML data from another Internet Explorer
domain because of a vulnerability in the way
Internet Explorer handles certain requests to
display XML content. MS05-025


CriticalHTML Help is the standard help system for
the Windows platform. Authors can use it to create
online Help files for a software application or
content for a multimedia title or a Web site.
This vulnerability in HTML Help could allow
attackers to execute arbitrary code on the
affected system via a specially crafted Compiled
Windows Help (CHM) file, because it does not
completely validate input data. MS05-026


CriticalA remote code execution vulnerability
exists in the Microsofts implementation of the
Server Message Block (SMB) protocol, which could
allow an attacker to execute arbitrary codes to
take complete control over a target system. This
vulnerability could be exploited over the
Internet. An attacker would have to transmit a
specially crafted SMB packet to a target system to
exploit it. However, failure to successfully
exploit the vulnerability could only lead to a
denial of service. MS05-027


ImportantA vulnerability exists in the way that
Windows processes Web Client requests, which could
allow a remote attacker to execute arbitrary code
and take complete control over the affected
system. MS05-028


ImportantA remote code execution vulnerability
exists in Outlook Express when it is used as a
newsgroup reader. An attacker could exploit this
vulnerability by constructing a malicious
newsgroup server that could that potentially allow
remote code execution if a user queried the server
for news. MS05-030


ModerateThis vulnerability could enable an
attacker to spoof trusted Internet content because
security prompts can be disguised by a Microsoft
Agent character. MS05-032


ModerateThis vulnerability in the Microsoft Telnet
client could allow an attacker to gain sensitive
information about the affected system and read the
session variables of users who have open
connections to a malicious Telnet server.
MS05-033

Edited by itthigs, 07 July 2005 - 03:30 PM.

  • 0

#7
itthigs
Posted 07 July 2005 - 05:08 PM

itthigs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here are the new logs for Panda Scan Hijack this . . . and ewido


Ewido:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:37:40 PM, 7/7/2005
+ Report-Checksum: E4E3E3E8

+ Scan result:

C:\WINDOWS\aanyi.txt:rtrhxt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\addde32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addev32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addfl32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\addfp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addhd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addke.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addpt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addpy.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\addyl32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\addyt.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\aolback.exe.lnk:frnkcm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\aolback.exe.lnk:gmadms -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\aolback.exe.lnk:ktmlci -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apied32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\apifk32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\apifn.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apihz32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apine32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\apiqo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apitq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apitu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiud32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apiyr.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apiys.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apiys32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\appbh32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\appgb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appjj32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\appmq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appsk32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\appsz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appuf.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\appxv.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\appyb32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atlcp.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atlgz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlhy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlit.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atllh32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atlxv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\aucfg.ini:raxxkh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crlg32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crov.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crqk.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crrg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crsm32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\d3bu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3in32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\d3iz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3jt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3kr32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\d3py32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\d3xi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3xn.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\desktop.ini:rievu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ehdcq.txt:fhhsgm -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\fvlwl.txt:qakcvz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\hxzjq.txt:rtugay -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\hxzjq.txt:sgtkrq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iedb.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\iefl.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iefm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iehk32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ieho32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iexc.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\iezl.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ipco.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ipeh32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ipix32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipjq.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ipqy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipsd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipsd32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ipwc.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ipyl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javabu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javaco.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javajq.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\javart32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\javazo32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\javazq32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\javazw32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfcbr.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfcgc.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mfckl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcku.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcpu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcyo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msbq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mscl32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\msdi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msex32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\msjj32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mspb.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\msub32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msvc.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\msxa32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msyt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netfa.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\netlp.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\netmz.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\netoc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netos32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\netqr.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\netsi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netzr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntbn32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\nted.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntgf32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\nthe.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\nthj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\nthx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntle32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntnc.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntny32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntou32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntsj.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntxg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntym.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntyx32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ODBC.INI:dqcabe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ODBCINST.INI:bccle -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ODBCINST.INI:ziqhig -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\omqxa.txt:uxjfo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\qzzqi.txt:ubvozi -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\rgibh.txt:xzfdf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SchedLgU.Txt:zxqzro -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\screen.html:qxvufg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkbj32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkca.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdkjv.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdkki32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdktz.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdkvs.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdkvx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkyn.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkzp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkzy32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sysbf.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sysfm.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sysop.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\syspy32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sysrl.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\syssd.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\addav32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\addiz.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\addja.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\apibc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apiix.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apijy.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\apijy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apine32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apiqi32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\apiti32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\apixm32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\apiye32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\apizw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appad32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\appdn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appjl32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\appmh.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\appmx.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\apppb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apppj32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\atldk32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\atlgo32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\atlhp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlmr32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\atlsk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atluf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlxe.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\atlxm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\craq32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\crho.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crjj.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\crjt.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\crlg32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\crmz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crne32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crvu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3bo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3dc32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\d3fz.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\d3jb.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\d3lx32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\d3nf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3ob.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\d3oh.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\d3rz32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\d3st.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iebf32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ieep32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iemt.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ieno32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ieox.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\ieru32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iesk.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\iets32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ievu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipik.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipqj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipqx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipvi.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\javabo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javakt32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\javalr32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\javapl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javaqv.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\javato32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javazl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcgj32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\mfche.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcpn32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\mfcvx32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\msai32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\msbo.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\mses.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\msfr32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\mshc32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\mshq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msik.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\mslg.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\msmf.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\msvm32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\msxg.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\netcx.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\netid32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netmd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netnu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netom32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netpq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\netqo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netrs32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\netwa.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\netwk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netzz.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\nths.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ntph32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ntqd.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ntsa32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\nttu32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ntys32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkay.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sdkfc.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sdkhy.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sdkjm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdknp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkrk.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sdkru.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sdksb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdksd.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sdksr32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sdkvq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkxp32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sysan.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysbf.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sysef32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sysfp32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\syshi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysow32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sysss32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\syswg32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sysxh32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\winao32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\winel.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winem.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\winft.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\winlu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winnf32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\winnq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\winqg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winse32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winuz32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\winyy32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\winyy32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sysub32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sysvp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syswe32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\tlshd.txt:scthfd -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\tlshd.txt:vjckj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\vbaddin.ini:aopfhk -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winbt32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winee.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winge.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winmm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winnf.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winpo.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winqe.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wintp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winvz32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winxg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winye32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ymxpt.txt:jowmiw -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ymxpt.txt:kkwlhy -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE -> Not-A-Virus.Tool.Reboot : Cleaned with backup


::Report End

PANDA SCAN

Incident Status Location

Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Ab scissor.url
Adware:Adware/CWS.008k No disinfected Windows Registry
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html


HIJACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 7:06:41 PM, on 7/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\ConsoleClassix.com\CCBrowser.exe
C:\Program Files\ConsoleClassix.com\nester.exe
C:\WINDOWS\System32\SNDVOL32.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
O2 - BHO: Class - {B2E365FF-AC68-1E32-AEDB-062877E048DF} - C:\WINDOWS\system32\msik.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [sysgo.exe] C:\WINDOWS\system32\sysgo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120411218406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#8
itthigs
Posted 07 July 2005 - 05:25 PM

itthigs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
HERE IS THE FINAL (i hope) hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 7:21:45 PM, on 7/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
O2 - BHO: Class - {B2E365FF-AC68-1E32-AEDB-062877E048DF} - C:\WINDOWS\system32\msik.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [sysgo.exe] C:\WINDOWS\system32\sysgo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120411218406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#9
kool808
Posted 08 July 2005 - 08:01 AM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Very good work itthigs :tazz: , your logs are now looking much better. Just some little finishing touches then we are almost done.

Please secure a PRINT COPY of the instructions here. Also please DISABLE: Ewido Guard.

Please follow these steps:
===========================================
Follow these steps to download and run the tool:

1. Download the FxAgentB.exe file from: HERE
2. Save the file to a convenient location, such as your Windows desktop.
3. Close all the running programs.
4. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
5. Locate the file that you just downloaded.
6. Double-click the FxAgentB.exe file to start the removal tool.
7. When the following message appears, click OK:

Please DO NOT start any other applications until the removal tool exits and the computer is restarted. Doing so may cause reinfection.

8. Click Start to begin the process, and then allow the tool to run.
9. Restart the computer.
10. Run the removal tool again to ensure that the system is clean.
============================================

Please download Spybot Search & Destroy 1.4.

1. Downloaded and Install Spybot S&D, accepting the Default Settings
2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
3. Close ALL windows except Spybot S&D
4. Click the button to ‘Search for Updates’ then download and install the Updates.
5. Next click the button ‘Check for Problems'
6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window
7. Make certain there is a check mark beside all of the RED entries ONLY.
8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
9. REBOOT to complete the scan and clear memory.
==========================================
  • Please download Spy Sweeper in its trial version
  • download all available updates
  • click on the Sweep Now button, then click Start
  • fix all found infections.
  • close Spy Sweeper
==========================================
Reboot in SAFE MODE. (How to boot in Safe Mode...)

We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O2 - BHO: Class - {B2E365FF-AC68-1E32-AEDB-062877E048DF} - C:\WINDOWS\system32\msik.dll (file missing)

O4 - HKLM\..\Run: [sysgo.exe] C:\WINDOWS\system32\sysgo.exe

Make sure to double check the items you have selected,then click Fix Checked.
==========================================
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\WINDOWS\system32\msik.dll
  • C:\WINDOWS\system32\sysgo.exe
  • C:\Sysgo.bat
  • C:\Windows\Start Menu\Programs\Startup\F.exe
  • C:\WINDOWS\system32\searchdll.dll
Finally, Empty Recycle Bin
==========================================

To make sure it is perfectly clean let us have the final check.
  • Reboot to Normal Mode.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
Please tell me how your system is doing. ;)

Edited by kool808, 08 July 2005 - 08:03 AM.

  • 0

#10
itthigs
Posted 08 July 2005 - 10:13 AM

itthigs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
:tazz: backdoor.agentb.removal tool stops about half way through the scan. I get a message that says iit has encountered a problem and needs to close. ;)

details (error report contents)

Exception Information
Code: 0xc0000006 Flags:0x00000000
Record: 0x0000000000000000 Address: 0x0000000000403783

System INformation
Windows NT 5.1 Build: 2600
CPU Vendor Code: 756E6547 - 49656E69 - 6C65746E
CPU Version: 00000F29 CPU Feature Code: BFEBFBFF
CPU AMD Feature Code: 0098e82C

Module 1
FxAgentB.exe
Image Base: 0x00400000 Image Size: 0x00000000
Checksum: 0x000313f5 Time Stamp: 0x4124b25b
Version Information




The following files will be included in this error report:

C:\DOCUME~1\Owner\LOCALS~1\Temp\WER28.tmp.dir00\appcompat.txt
  • 0

Advertisements

#11
itthigs
Posted 08 July 2005 - 10:15 AM

itthigs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
i'll wait for your reply, :tazz:
  • 0

#12
kool808
Posted 08 July 2005 - 07:05 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please secure a PRINT COPY of the instructions.

It seems that you have toughie there, preventing our fixes. Let us try to modify the sequence of our fixes.
===================================================
Please download [ Spybot Search & Destroy 1.4 ].

1. Install Spybot S&D, accepting the Default Settings
2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
3. Close ALL windows except Spybot S&D
4. Click the button to ‘Search for Updates’ then download and install the Updates.
5. DO NOT run the scan yet, close this for the mean time and we will run this later.
===================================================
  • Please download Spy Sweeper in its trial version
  • download all available updates
  • We will also run this later, close Spy Sweeper
===================================================
Reboot in SAFE MODE. (How to boot in Safe Mode...)

Killing the Running Processes:
1. Open HijackThis.
2. Click Config.
3. Click Misc Tools.
4. Under System Tools, click Open Process Manager.
5. Make sure to put a check mark on Show DLLs, found on the upper right corner.
5. Select the following file(s) if they exist, one at a time:
  • C:\WINDOWS\system32\sysgo.exe
  • C:\WINDOWS\system32\msik.dll
6. Click Kill Process one at a time.
7. Close HijackThis.
===================================================
  • Now run the FixAgentB.exe tool

    1. Locate the file that you just downloaded.
    2. Double-click the FxAgentB.exe file to start the removal tool.
    3. When the following message appears, click OK:

    Please DO NOT start any other applications until the removal tool exits and the computer is restarted. Doing so may cause reinfection.

    4. Click Start to begin the process, and then allow the tool to run.
  • Then run the Spybot S&D

    1. Next click the button ‘Check for Problems'
    2. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window
    3. Make certain there is a check mark beside all of the RED entries ONLY.
    4. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
===================================================
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O2 - BHO: Class - {B2E365FF-AC68-1E32-AEDB-062877E048DF} - C:\WINDOWS\system32\msik.dll (file missing)

O4 - HKLM\..\Run: [sysgo.exe] C:\WINDOWS\system32\sysgo.exe

Make sure to double check the items you have selected,then click Fix Checked.
===================================================

Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\WINDOWS\system32\msik.dll
  • C:\WINDOWS\system32\sysgo.exe
  • C:\Sysgo.bat
  • C:\Windows\Start Menu\Programs\Startup\F.exe
  • C:\WINDOWS\system32\searchdll.dll
Finally, Empty Recycle Bin
===================================================

Reboot in NORMAL MODE.
  • Run the FixAgentB.exe tool once again
  • Scan with Spybot S&D once again
  • Finally scan with SpySweeper
  • click on the Sweep Now button, then click Start
  • fix all found infections.
  • close Spy Sweeper
===================================================
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Please tell me how your system is working now.

  • 0

#13
itthigs
Posted 09 July 2005 - 02:50 PM

itthigs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
good and bad news . . . . .

bad news first

the fxagentb.exe still stops half way through . . .

sooooo I went ahead with the other steps . . .

which i guess is the good news . . . and here is the log file which may or may not be the final check

Logfile of HijackThis v1.99.1
Scan saved at 4:47:33 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120411218406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

p.s.

more bad news . . . . when i click on local disk to bring up the hard drive folder . . . I get the search window :tazz:



btw
thanks for your help
  • 0

#14
kool808
Posted 09 July 2005 - 05:25 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please secure a PRINT COPY of the instructions.

Let us have a review on our previous fixes, it seems that the infection is not taking our shots at it!
================================================================
Please download this registry fix HSFix.zip and unzip it to your desktop, but DO NOT run yet. We will run it later.
(Note: there will be an extracted registry file called cwsserviceremove.reg)
================================================================

Important Steps
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called, if it still exists:

Service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaco.exe" /s


When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

2. Reboot in SAFE MODE. (How to boot in Safe Mode...)

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for, if they still exist:

C:\WINDOWS\javaco.exe
C:\WINDOWS\system32\sysgo.exe
C:\WINDOWS\system32\msik.dll


If you find the files, click on them, and then click End Process => Exit the Task Manager.

4. Run AboutBuster

5. Scan with AdAware, full system scan.

6. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

7. On your desktop, Double-Click on the cwsserviceremove.reg and when asked to merge say yes.

8. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

9. Run CleanUp!

10. Reboot into normal mode.
=======================================================

Please download, install and do a full system scan with these following trojan programs. Get all available updates:
1. [ Trojan Hunter ]
2. [ Moosoft ]

=======================================================
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log, Trojan Hunter Log, Moosoft Log (if the results are too long, separate them as add reply, otherwise just make it one shot.)
  • Please tell me how your system is working now.

  • 0

#15
itthigs
Posted 10 July 2005 - 12:28 PM

itthigs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
every thing seems to be running great excpt for the following . . .

there seems to be a lot of processess running on startup, there's usually a 30-60sec delay before a program such as netscape will open.

I can't find IExplorer ;) ;) (I did try reinstalling)

and . . . . uhhhhhh . . . . oh yea . . . the search window still comes up when i click on cdrive or hard disk in the my computer folder. But it's fine when i access the folders on the left of the window.

So I guess those are relatively small issues??

oh yea, and i didnt find the service or the files that you had mentioned
javaco.exe
sysgo.exe
msik.dll

Here is the hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 2:21:43 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120411218406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


:help: Hope this one looks alittle better . . . :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP