Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.smitfraud.c [RESOLVED]


  • This topic is locked This topic is locked

#1
griet

griet

    Member

  • Member
  • PipPip
  • 17 posts
big problems,

Smitfraud.c 'installed' on my PC.

Desktop is replaced by error-message, advising me tot perform a virus scan.

Tried adaware, without results (many infections found, but couldnt remove smitfraud.c).

Explorer keeps on generating errors and restarting, until I menage to stop it manually (via tskmnger).

New topics added to 'favorites'-folder, without me installing them.

thx for helping.
  • 0

Advertisements


#2
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Hi griet

Welcome to GTG! :tazz:

Please do this:

First create a permanent folder somewhere like in My Documents and name it Hijack This.

Now Click here to download Hijack This. Download it and click "Save". Save it to the Hijack This folder you just created.

Click on Hijackthis.exe to launch the program. Click on the Do a system scan and save a logfile button. It will scan and then ask you to save the log. Click "Save" to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  • 0

#3
griet

griet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
hi flrman,

thx for the quick reply

here's my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 14:48:11, on 12-7-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\atlrt32.exe
C:\WINNT\system32\ntkp.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\RENDER\BUREAU~1\WINZIP\winzip32.exe
C:\Documents and Settings\jorgen\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\ldwvi.dll/sp.html#49977
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ldwvi.dll/sp.html#49977
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ldwvi.dll/sp.html#49977
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\ldwvi.dll/sp.html#49977
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ldwvi.dll/sp.html#49977
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\ldwvi.dll/sp.html#49977
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\ldwvi.dll/sp.html#49977
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2545A0E9-71D9-4338-45BE-B4102E2CA91E} - C:\WINNT\system32\ipds32.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINNT\system32\intel32.exe
O4 - HKLM\..\Run: [ntkp.exe] C:\WINNT\system32\ntkp.exe
O4 - HKLM\..\RunOnce: [atlrt32.exe] C:\WINNT\atlrt32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\render\Bureaublad\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://*.search-soft.net
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domrim.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domrim.local
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = domrim.local
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: style2 - C:\WINNT\q12653500_disk.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)
  • 0

#4
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
You have several infections there so we will have to do these one at a time. I'll go ahead and give you the directions to remove smitfraud. After you have taken care of that, we'll get to the rest. I have to leave until around 3 or 4 pm Eastern time so I will not reply to any furhter posts until after that, but I will reply as soon as I can.


* Click here to download smitRem.zip.
  • Save the file to your desktop.
  • Unzip smitRem.zip to extract the files it contains.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.
* Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.


* Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.
* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan

After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
  • 0

#5
griet

griet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
hi,

Thx, things seem to be running more or less normal now.

Results of the scans:

1. hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 17:33:55, on 12-7-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Documents and Settings\render\Bureaublad\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\RENDER\BUREAU~1\WINZIP\winzip32.exe
C:\Documents and Settings\jorgen\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\ldwvi.dll/sp.html#49977
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\ldwvi.dll/sp.html#49977
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2545A0E9-71D9-4338-45BE-B4102E2CA91E} - C:\WINNT\system32\ipds32.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ntkp.exe] C:\WINNT\system32\ntkp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\render\Bureaublad\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://*.search-soft.net
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domrim.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domrim.local
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = domrim.local
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: style2 - C:\WINNT\q12653500_disk.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

2. activescan:

Incident Status Location

Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Bureaublad\Online Dating.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Bureaublad\Remove Spyware.url
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\jorgen\Application Data\tvmcwrd.dll
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\jorgen\Application Data\tvmknwrd.dll
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\jorgen\Application Data\tvmuknwrd.dll
Adware:Adware/Popuper No disinfected C:\Documents and Settings\jorgen\Favorieten\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\jorgen\Favorieten\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\jorgen\Favorieten\Network Security.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\jorgen\Favorieten\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\jorgen\Favorieten\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\jorgen\Favorieten\Remove Spyware.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jorgen\Favorieten\Sites about\What is hydrocodone.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\jorgen\Favorieten\Spam Filters.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\jorgen\Favorieten\Take It Here - Free [bleep] TGP.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\jorgen\Favorieten\Web Detective.url
Adware:Adware/SAHAgent No disinfected C:\WINNT\Downloaded Program Files\SAHUninstall_.exe
Adware:Adware/SAHAgent No disinfected C:\WINNT\Downloaded Program Files\sporder_.dll
Spyware:Spyware/YourSiteBar No disinfected C:\WINNT\Downloaded Program Files\ysbactivex.inf
Adware:Adware/Antivirus-gold No disinfected C:\WINNT\screen.html
Adware:Adware/KeenValue No disinfected C:\WINNT\system32\drivers\etc\hosts.bho
Adware:Adware/Popuper No disinfected C:\WINNT\system32\hp6CD8.tmp
Adware:Adware/Popuper No disinfected C:\WINNT\system32\ole32vbs.exe
Adware:Adware/GloboSearch No disinfected C:\WINNT\system32\wosysdll.dll
Adware:Adware/Smitfraud No disinfected C:\WINNT\system32\wp.bmp
Adware:Adware/SAHAgent No disinfected C:\WINNT\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINNT\system32\xmltok.dll
3. ewidoscan:
---------------------------------------------------------
ewido security suite - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 16:22:47, 12-7-2005
+ Rapport samenvatting: 598E1604

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{52DC9EC1-35A9-4914-98D9-D568A9854DA2} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{62160EEF-9D84-4C19-B7B8-6AC2526CD726} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{771A1334-6B08-4a6b-AEDC-CF994BA2CEBE} -> Spyware.YourSiteBar : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{8085E374-ACBB-42F9-873F-49EC7E244F97} -> Spyware.Hijacker.Generic : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{82E8FF5B-20DA-4F43-9787-09FA534B7627} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{9E680E41-ECFF-E677-B3C2-F038A1610215} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{A903BF95-883E-4E70-AEC8-6C27CDC0A6B2} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{DE3BEBDB-AEE7-4277-8B6E-4EEFFA9508AE} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CurVer -> Spyware.YourSiteBar : Schoongemaakt met een backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Schoongemaakt met een backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RelevantKnowledge -> Spyware.BroadCastPC : Schoongemaakt met een backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT -> Spyware.NaviSearch : Schoongemaakt met een backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Security -> Spyware.NaviSearch : Schoongemaakt met een backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Enum -> Spyware.NaviSearch : Schoongemaakt met een backup
C:\msinfo.exe -> TrojanDownloader.Agent.eq : Schoongemaakt met een backup
C:\WINNT\Active Setup Log.txt:xonuyk -> Spyware.SearchPage : Schoongemaakt met een backup
C:\WINNT\atlee32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\atlib32.exe -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\atlot32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\atlrt32.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINNT\d3na32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\d3nu32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar.gk : Schoongemaakt met een backup
C:\WINNT\hpbafd.ini:aldwvi -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\hpbafd.ini:fulcsx -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\iean32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\iebt.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\ieye32.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINNT\ipvv32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\ipyc.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\javafh32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\javard32.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINNT\javayf32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\ldwvi.dll -> Spyware.SearchPage : Schoongemaakt met een backup
C:\WINNT\msdfmap.ini:ftatxl -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\Msiosd.ini:ywvplp -> Spyware.SearchPage : Schoongemaakt met een backup
C:\WINNT\mspx32.exe -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\NDNuninstall6_38.exe -> Spyware.NewDotNet : Schoongemaakt met een backup
C:\WINNT\netlh32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\ovl.ini:emixkt -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\PMK_setup.ini:webcnd -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\popuper.exe -> Trojan.Puper.w : Schoongemaakt met een backup
C:\WINNT\q12653500_disk.dll -> TrojanDownloader.Delf.lh : Schoongemaakt met een backup
C:\WINNT\render.ini:ktxstc -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\setuplog.txt:btxxpn -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\setuplog.txt:nmtvwd -> Spyware.SearchPage : Schoongemaakt met een backup
C:\WINNT\sysrs.exe -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\system32\aajemuo.dll -> TrojanDownloader.Agent.gl : Schoongemaakt met een backup
C:\WINNT\system32\addhf32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\system32\apigf.exe -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\system32\appry32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\system32\ATPartners.dll -> TrojanDownloader.Rameh.c : Schoongemaakt met een backup
C:\WINNT\system32\fazapog.dll -> Spyware.AdultIt : Schoongemaakt met een backup
C:\WINNT\system32\hhk.dll -> Trojan.Puper.t : Schoongemaakt met een backup
C:\WINNT\system32\hookdump.exe -> Trojan.Agent.ep : Schoongemaakt met een backup
C:\WINNT\system32\iecust.exe -> TrojanDownloader.Small.qt : Schoongemaakt met een backup
C:\WINNT\system32\iedu.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\system32\in10b6s.dll -> Adware.eZula : Schoongemaakt met een backup
C:\WINNT\system32\intel32.exe -> Trojan.Agent.ff : Schoongemaakt met een backup
C:\WINNT\system32\intmon.exe -> Trojan.Puper.aa : Schoongemaakt met een backup
C:\WINNT\system32\ipds32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\system32\iplc.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\system32\javawt32.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\system32\javazw32.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINNT\system32\msinfo.exe -> TrojanDownloader.Small.agg : Schoongemaakt met een backup
C:\WINNT\system32\msole32.exe -> Spyware.Hijacker.Generic : Schoongemaakt met een backup
C:\WINNT\system32\nedehoce.dll -> TrojanSpy.Briss.n : Schoongemaakt met een backup
C:\WINNT\system32\netcgf.dll -> TrojanDownloader.Small.abx : Schoongemaakt met een backup
C:\WINNT\system32\netssh.exe -> TrojanDropper.Small.nk : Schoongemaakt met een backup
C:\WINNT\system32\ntkp.exe -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\system32\ntte32.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINNT\system32\ntwb.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINNT\system32\oleadm.dll -> Trojan.Agent.ff : Schoongemaakt met een backup
C:\WINNT\system32\Q15347812.dll -> Spyware.ActiveSearch : Schoongemaakt met een backup
C:\WINNT\system32\Q21506312.dll -> Spyware.ActiveSearch : Schoongemaakt met een backup
C:\WINNT\system32\Q22541765.dll -> Spyware.ActiveSearch : Schoongemaakt met een backup
C:\WINNT\system32\Q25715890.dll -> Spyware.ActiveSearch : Schoongemaakt met een backup
C:\WINNT\system32\Q697140.dll -> Spyware.ActiveSearch : Schoongemaakt met een backup
C:\WINNT\system32\Q729015.dll -> Spyware.ActiveSearch : Schoongemaakt met een backup
C:\WINNT\system32\Q955687.dll -> Spyware.ActiveSearch : Schoongemaakt met een backup
C:\WINNT\system32\shnlog.exe -> Trojan.Puper.aa : Schoongemaakt met een backup
C:\WINNT\system32\sp2chek.exe -> TrojanDownloader.Small.agg : Schoongemaakt met een backup
C:\WINNT\system32\subsys.exe -> Spyware.Hijacker.Generic : Schoongemaakt met een backup
C:\WINNT\system32\sysba.exe -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\system32\syswk.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINNT\system32\zuquq.dll -> TrojanSpy.Briss.n : Schoongemaakt met een backup
C:\WINNT\uninstIU.exe -> Trojan.Agent.ff : Schoongemaakt met een backup
C:\WINNT\welcome.ini:igptmp -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\WININIT.INI:mfcrdv -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\WTRMRK.INI:pcmkpu -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\_default.pif:czbuue -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\_default.pif:dpunqz -> Spyware.SearchPage : Schoongemaakt met een backup
C:\WINNT\_default.pif:eluqrw -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\_default.pif:etcrbe -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\_default.pif:fhernp -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\_default.pif:fuodom -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\_default.pif:gcgaly -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\_default.pif:isgmla -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\_default.pif:lbatil -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\_default.pif:piwwpr -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\_default.pif:pvxzwz -> Spyware.SearchPage : Schoongemaakt met een backup
C:\WINNT\_default.pif:qrvgjp -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\_default.pif:rdqgpa -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\_default.pif:sbioob -> Trojan.Agent.em : Schoongemaakt met een backup
C:\WINNT\_default.pif:seezms -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\_default.pif:szcllk -> Spyware.SearchPage : Schoongemaakt met een backup
C:\WINNT\_default.pif:udxxna -> Spyware.SearchPage : Schoongemaakt met een backup
C:\WINNT\_default.pif:wtvxv -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\_default.pif:wtvxvh -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\_default.pif:xmnwty -> TrojanDownloader.Agent.bq : Schoongemaakt met een backup
C:\WINNT\_default.pif:ycxbnp -> Trojan.Agent.em : Schoongemaakt met een backup


::Einde rapport



As requested, I will leave my PC on, without opening any programs.

PS.: I accidentally performed 2 activescans, in the first one, the following incidents were also announced:

virus:Trj/Qukart.M - renamed - c:\!apihook.bin
virus:Trj/Qukart.M - renamed - c:\!apihook.txt
virus:Trj/downloader.CVB - disinfected - c:\ms32.tmp
virus:Trj/downloader.JH - disinfected - c:\Downloaded progfram files\ole32ws.inf
virus:Trj/clicker.AI - disinfected - c:\WINN\system32\ShellExt\all.EXE

As you can see, these viruses seem to be deleted.

CU
  • 0

#6
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
** First you need to download the following tools and have them ready to run. Do not run any of them until instructed to do so:


* Click here to download cwsserviceremove.zip and unzip it to your desktop.


* Click Here and download the new version of Killbox and save it to your desktop.



* Click here to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. Do Not run it yet.



* Click here to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.


* Click here to download remv3.zip.
Save the zip file then unzip the files to their own permanent folder.


* Click Start > Run > and type in:

services.msc

Click OK.

In the services window look for any one of these four services:

Network Security Service

Network Security Service (NSS)

Workstation Netlogon Service

Remote Procedure Call (RPC) Helper
---> See Caution below.

You will only have one of them so find the one you have.
Rightclick it and choose "Properties". (See *Note below if you get an error). On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that option is not there either or if none of the above services are present, just skip this step and proceed with the rest.

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator and one called Remote Procedure Call (RPC) . These are the legitimate services. Do not stop those two.


** Restart your computer into safe mode now. Perform the following steps in safe mode:



* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.



* Run Hijack This and put a check by all of the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\ldwvi.dll/sp.html#49977

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\ldwvi.dll/sp.html#49977

O2 - BHO: Class - {2545A0E9-71D9-4338-45BE-B4102E2CA91E} - C:\WINNT\system32\ipds32.dll (file missing)

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE

O4 - HKLM\..\Run: [ntkp.exe] C:\WINNT\system32\ntkp.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domrim.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domrim.local

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = domrim.local

O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244

O20 - Winlogon Notify: style2 - C:\WINNT\q12653500_disk.dll (file missing)


After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.


* Double click on remv3.bat to run it. Wait till the dos window closes. !!Don't forget this step!!


* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINNT\q12653500_disk.dll

C:\WINNT\system32\ntkp.exe

C:\Documents and Settings\All Users\Bureaublad\Online Dating.url

C:\Documents and Settings\All Users\Bureaublad\Remove Spyware.url

C:\Documents and Settings\jorgen\Application Data\tvmcwrd.dll

C:\Documents and Settings\jorgen\Application Data\tvmknwrd.dll

C:\Documents and Settings\jorgen\Favorieten\Black Jack Online.url

C:\Documents and Settings\jorgen\Favorieten\Home Loan.url

C:\Documents and Settings\jorgen\Favorieten\Network Security.url

C:\Documents and Settings\jorgen\Favorieten\Online Pharmacy.url

C:\Documents and Settings\jorgen\Favorieten\Spam Filters.url

C:\Documents and Settings\jorgen\Favorieten\Take It Here - Free [bleep] TGP.url

C:\Documents and Settings\jorgen\Favorieten\Web Detective.url

C:\WINNT\Downloaded Program Files\SAHUninstall_.exe

C:\WINNT\Downloaded Program Files\sporder_.dll

C:\WINNT\Downloaded Program Files\ysbactivex.inf

C:\WINNT\screen.html

C:\WINNT\system32\drivers\etc\hosts.bho

C:\WINNT\system32\hp6CD8.tmp

C:\WINNT\system32\ole32vbs.exe

C:\WINNT\system32\wosysdll.dll

C:\WINNT\system32\wp.bmp

C:\WINNT\system32\xmlparse.dll

C:\WINNT\system32\xmltok.dll


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.



* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.



* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.



* Start Ccleaner and click Run Cleaner



* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Rightclick DelDomains.inf and choose install.


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .

- Double-click the Network Connections icon.

- Right-click the Local Area Connection icon and select Properties.

- Hilight Internet Protocol (TCP/IP) and click the Properties button.

- Be sure "Obtain DNS server address automatically' is selected. OK your way out.


** Restart back into Windows normally now and do the following:


Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.


* Look on your C:\ and you will find a .txt file with the name: log.txt
Post the contents from that log along with a fresh Hijack This log and the report from the Housecall scan
.
  • 0

#7
griet

griet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi again,

Did what you asked (the services.mcs - checkup didn't give any of the four possible results, so I suppose that's OK)

The logfiles:

1. the log.txt:
The batch is run from -- C:\Documents and Settings\jorgen\Bureaublad\remv3

Files Found.................
----------------------------------------
dnsping.exe

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\Files]
"taskrun.exe"=""
"trayinfo.exe"=""
"subsys.exe"=""
"spoolsvc.exe"=""
"smlogvcc.exe"=""
"sessngr.exe"=""
"rsvxp.exe"=""
"rsn.exe"=""
"rexecs.exe"=""
"resrvc32.exe"=""
"rcip.exe"=""
"proxyconf.exe"=""
"powerconf.exe"=""
"pingnet.exe"=""
"dnsping.exe"=""
"odcfg.exe"=""
"netstart.exe"=""
"netdns.exe"=""
"getdns.exe"=""
"msswchxp.exe"=""
"msng.exe"=""
"msinfo.exe"=""
"netssl.exe"=""
"netdetect.exe"=""
"sfcver.exe"=""
"netcgf.dll"=""
"netcfg.dll"=""
"odbcfg32.dll"=""
"p2pserv.dll"=""
"clfmon.exe"=""
"netssh.exe"=""
"syspack.dll"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes]
"taskrun.exe"=""
"trayinfo.exe"=""
"subsys.exe"=""
"spoolsvc.exe"=""
"smlogvcc.exe"=""
"sessngr.exe"=""
"rsvxp.exe"=""
"rsn.exe"=""
"rexecs.exe"=""
"resrvc32.exe"=""
"rcip.exe"=""
"proxyconf.exe"=""
"powerconf.exe"=""
"pingnet.exe"=""
"dnsping.exe"=""
"odcfg.exe"=""
"netstart.exe"=""
"netdns.exe"=""
"getdns.exe"=""
"msswchxp.exe"=""
"msng.exe"=""
"msinfo.exe"=""
"netssl.exe"=""
"netdetect.exe"=""
"sfcver.exe"=""
"clfmon.exe"=""
"netssh.exe"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys]
"{98DBBF16-CA43-4c33-BE80-99E6694468A4}"=""
"{E9590744-812B-46C3-96EB-33212855927D}"=""
"Files"=""
"Ms4Hd"=""
"Processes"=""
"RegKeys"=""
"RegValues"=""
"Vendor"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues]
"clfmon.exe"=""
"netssh.exe"=""
"sessngr.exe"=""
"spoolsvc.exe"=""


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
De volumenaam van station C is j”rgen
Het volumenummer is C09A-1256

Map van C:\WINNT\system32

msi.dll
Finished

2. The housecall scanlog:
Trend Micro Housecall Virus Scan0 virus cleaned, 0 virus deleted


Results:
We have detected 0 infected file(s) with 0 virus(es) on your
computer. Only 0 out of 0 infected files are displayed:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken




Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 1 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed: - 0 worm(s)/Trojan(s) passed, 0
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s)
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken
TROJ_SMALL-1TrojanUnknown




Spyware Check3 spyware programs removed

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 3 spyware(s) on your computer. Only 0 out of
0 spywares are displayed: - 0 spyware(s) passed, 0
spyware(s) no action available
- 3 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
COOKIE_1020CookieRemoval successful
ADW_RBLASTDLL.AAdwareRemoval successful
ADW_SAHAGENT.AAdwareRemoval successful




Microsoft Vulnerability Check44 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 44 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
Highly CriticalThis vulnerability enables a remote
attacker to execute arbitrary commands via a
malicious web page or e-mail. This is caused by
the Microsoft Virtual Machine allowing the
security settings of Internet Explorer to be
bypassed. MS00-075
Highly CriticalThis vulnerability enables a remote
attacker to execute any file that can be rendered
as text, and be opened as part of a page in
Internet Explorer. MS03-014
CriticalThis vulnerability enables a remote
attacker to cause a denial of service and execute
arbitrary code through a specially formed web page
or HTML e-mail. This is caused by a flaw in the
way the HTML converter for Microsoft Windows
handles a conversion request during a
cut-and-paste operation. MS03-023
CriticalThis vulnerability could allow a remote
attacker to execute arbitrary code via a malformed
RPC request with a long filename parameter. This
is caused by a heap-based buffer overflow found in
the Distributed Component Object Model (DCOM)
interface in the RPCSS Service.;This vulnerability
could allow a remote attacker to cause a denial of
service attack, which could allow local attackers
to gain privileges via certain messages sent to
the __RemoteGetClassObject interface.;This
vulnerability could allow a remote attacker to
execute arbitrary code via a malformed activation
request packet with modified length fields. This
is caused by a heap-based buffer overflow in the
Distributed Component Object Model (DCOM)
interface in the RPCSS Service.;This vulnerability
could allow a remote attacker to cause a denial of
service attack. This is caused by two threads
processing the same RPC request, which will lead
to its using memory after it has been freed.;This
vulnerability could allow a remote attacker to
cause a denial of service attack via a queue
registration request. This is caused by a buffer
overflow in the Microsoft Message Queue Manager.
MS03-039
Highly CriticalThese vulnerabilities, which are
due to Internet Explorer not properly determining
an object type returned from a Web server in a
popup window or during XML data binding,
respectively, could allow an attacker to run
arbitrary code on a user's system. MS03-040
CriticalThis vulnerability allows a remote
attacker to execute arbitrary code without user
approval. This is caused by the authenticode
capability in Microsoft Windows NT through Server
2003 not prompting the user to download and
install ActiveX controls when system is low on
memory. MS03-041
CriticalThis vulnerability allows a remote
attacker to execute arbitrary code on the affected
system. This is caused of a buffer overflow in the
Messenger Service for Windows NT through Server
2003. MS03-043
ImportantThis vulnerability is due to a buffer
overrun in the ListBox and ComboBox controls found
in User32.dll. Any program that implements the
ListBox control or the ComboBox control could
allow arbitrary code to be executed at the same
privilege level. This vulnerability cannot be
exploited remotely. MS03-045
CriticalThis vulnerability could allow an attacker
to access information from other Web sites, access
files on a user's system, and run arbitrary code
on a user's system, wherein this is executed under
the security context of the currently logged on
user.;This vulnerability could allow an attacker
to save a file on the users system. This is due to
dynamic HTML events related to the drag-and-drop
of Internet Explorer.;This vulnerability, which is
due to the incorrect parsing of URLs which contain
special characters, could allow an attacker to
trick a user by presenting one URL in the address
bar, wherein it actually contains the content of
another web site of the attackers choice.
MS04-004
Highly CriticalThe LSASS vulnerability is a buffer
overrun vulnerability allows remote code
execution.;The LDAP vulnerability is a denial of
service (DoS) vulnerability that causes the
service in a Windows 2000 domain controller
responsible for authenticating users in an Active
Directory domain to stop responding.;The PCT
vulnerability is a buffer overrun vulnerability in
the Private Communications Transport (PCT)
protocol, a part of the SSL library, that allows
remote code execution.;The Winlogon vulnerability
is a buffer overrun vulnerability in the Windows
logon process (winlogon) that allows remote code
execution.;The Metafile vulnerability is a buffer
overrun vulnerability that exists in the rendering
of Windows Metafile (WMF) and Enhanced Metafile
(EMF) image formats.;The Help and Support Center
vulnerability allows remote code execution and is
due to the way Help and Support Center handles HCP
URL validation.;The Utility Manager vulnerability
is a privilege elevation vulnerability that exists
due to the way that Utility Manager launches
applications.;The Windows Management vulnerability
is a privilege elevation vulnerability that when
successfully exploited allows a local attacker to
take complete control of a system by executing
commands at the system privilege level.;The Local
Descriptor Table vulnerability is a privilege
elevation vulnerability that when successfully
exploited allows a local attacker to take complete
control of a system by executing commands at with
system privileges.;The H.323 vulnerability is a
buffer overrun vulnerability that when
successfully exploited can allows attackers to
gain full control of a system by arbitrarily
executing commands with system privileges.;Virtual
DOS Machine vulnerability is a privilege elevation
vulnerability that when successfully exploited
allows a local attacker to gain full control of a
system by executing commands with system
privileges.;The Negotiate SSP vulnerability is a
buffer overrun vulnerability that exists in
Microsoft's Negotiate Security Service Provider
(SSP) interface and allows remote code
execution.;The SSL vulnerability exists due to the
way SSL packets are handled and can causes the
affected systems to stop responding to SSL
connection requests.;The ASN.1 'Double-Free'
vulnerability exists in Microsoft's Abstract
Syntax Notation One (ASN.1) Library and allows
remote code execution at the system privilege
level. MS04-011
CriticalThe RPC Runtime Library vulnerability is a
remote code execution vulnerability that results
from a race condition when the RPC Runtime Library
processes specially crafted messages. An attacker
who successfully exploits this vulnerability could
take complete control of an affected system.;The
RPCSS Service denial of service (DoS)
vulnerability allows a malicious user or malware
to send specially-crafted messages to a vulnerable
system, which causes the RPCSS Service to stop
responding.;The RPC Over HTTP vulnerability may be
used to launch a denial of service (DoS) attack
against a system with CIS or RPC over HTTP Proxy
enabled.;When successfully exploited, the Object
Identity vulnerability allows an attacker to force
currently running applications to open network
communication ports, thereby opening a system to
remote attacks. MS04-012
CriticalThe MHTML URL Processing Vulnerability
allows remote attackers to bypass domain
restrictions and execute arbitrary code via script
in a compiled help (CHM) file that references the
InfoTech Storage (ITS) protocol handlers.This
could allow an attacker to take complete control
of an affected system. MS04-013
ModerateThis is a denial of service (DoS)
vulnerability. It affects applications that
implement the IDirectPlay4 Application Programming
Interface (API) of Microsoft DirectPlay.
Applications that use this API are typically
network-based multiplayer games.;An attacker who
successfully exploits this vulnerability could
cause the DirectX application to fail while a user
is playing a game. The affected user would then
have to restart the application. MS04-016
ModerateA denial of service (DoS) vulnerability
exists in Outlook Express that could cause the
said program to fail. The malformed email should
be removed before restarting Outlook Express in
order to regain its normal operation. MS04-018
CriticalThis vulnerability lies in an unchecked
buffer within the Task Scheduler component. When
exploited, it allows the attacker to execute
arbitrary code on the affected machine with the
same privileges as the currently logged on user.
MS04-022
CriticalAn attacker who successfully exploits this
vulnerability could gain the same privileges as
that of the currently logged on user. If the user
is logged in with administrative privileges, the
attacker could take complete control of the
system. User accounts with fewer privileges are at
less risk than users with administrative
privileges. MS04-023
CriticalThe Navigation Method Cross-Domain
Vulnerability is a remote execution vulnerability
that exists in Internet Explorer because of the
way that it handles navigation methods. An
attacker could exploit this vulnerability by
constructing a malicious Web page that could
potentially allow remote code execution if a user
visits a malicious Web site.;The Malformed BMP
File Buffer Overrun Vulnerability exists in the
processing of BMP image file formats that could
allow remote code execution on an affected
system.;The Malformed GIF File Double Free
Vulnerability is a buffer overrun vulnerability
that exists in the processing of GIF image file
formats that could allow remote code execution on
an affected system. MS04-025
ImportantAn unchecked buffer exists in the NetDDE
services that could allow remote code execution.
An attacker who is able to successfully exploit
this vulnerability is capable of gaining complete
control over an affected system. However, the
NetDDe services are not automatically executed,
and so would then have to be manually started for
an attacker to exploit this vulnerability. This
vulnerability also allows attackers to perform a
local elevation of privilege, or a remote denial
of service (DoS) attack. MS04-031
CriticalThis cumulative release from Microsoft
covers four newly discovered vulnerabilities:
Windows Management Vulnerability, Virtual DOS
Machine Vulnerability, Graphics Rendering Engine
Vulnerability, and Windows Kernel Vulnerability.
MS04-032
CriticalThis security bulletin focuses on the
following vulnerabilities: Shell Vulnerability
(CAN-2004-0214), and Program Group Converter
Vulnerability (CAN-2004-0572). Shell vulnerability
exists on the way Windows Shell launches
applications that could enable remote malicious
user or malware to execute arbitrary code.
Windows Shell function does not properly check the
length of the message before copying to the
allocated buffer. Program Group Converter is an
application used to convert Program Manager Group
files that were produced in Windows 3.1, Windows
3.11, Windows for Workgroups 3.1, and Windows for
Workgroups 3.11 so that they can still be used by
later operating systems. The vulnerability lies in
an unchecked buffer within the Group Converter
Utility. MS04-037
CriticalThis is a remote code execution
vulnerability that exists in the Internet
Explorer. It allows remote code execution on an
affected system. An attacker could exploit this
vulnerability by constructing a malicious Web
Page. The said routine could allow remote code
execution if a user visited a malicious Web site.
An attacker who successfully exploited this
vulnerability could take complete control of an
affected system. However, significant user
interaction is required to exploit this
vulnerability. MS04-038
CriticalThis security update addresses and
resolves a vulnerability in Internet Explorer that
could allow remote code execution. A Web page can
be crafted to exploit this vulnerability such that
an arbitrary application can be executed on
visiting systems with the same priviledge as the
currently logged on user. MS04-040
ImportantThis security advisory explains the two
discovered vulnerabilities in Microsoft Word for
Windows 6.0 Converter, which is used by WordPad in
converting Word 6.0 to WordPad file format. Once
exploited, this remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. MS04-041
CriticalA remote code execution vulnerability
exists in HyperTerminal because of a buffer
overrun. If a user is logged on with administrator
privileges, an attacker could exploit the
vulnerability by constructing a malicious
HyperTerminal session file that could potentially
allow remote code execution and then persuade a
user to open this file. This malicious file may
enable the attacker to gain complete control of
the affected system. This vulnerability could also
be exploited through a malicious Telnet URL if
HyperTerminal had been set as the default Telnet
client. MS04-043
ImportantThis security update addresses and
resolves two windows vulnerabilites, both of which
may enable the current user to take control of the
affected system. Both of these vulnerabilites
require that the curernt user be able to log on
locally and execute programs. They cannot be
exploited remotely, or by anonymous users. A
privilege elevation vulnerability exists in the
way that the Windows Kernel launches applications.
This vulnerability could allow the current user to
take complete control of the system. A privilege
elevation vulnerability exists in the way that the
LSASS validates identity tokens. This
vulnerability could allow the current user to take
complete control of the affected system. MS04-044
CriticalThis update resolves a newly-discovered,
publicly reported vulnerability. A vulnerability
exists in the HTML Help ActiveX control in Windows
that could allow information disclosure or remote
code execution on an affected system. MS05-001
CriticalThis update resolves several
newly-discovered, privately reported and public
vulnerabilities. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system,
install programs, view, change, or delete data, or
create new accounts that have full privileges.
MS05-002
ImportantThis update resolves a newly-discovered,
privately reported vulnerability. An attacker who
successfully exploited this vulnerability could
take complete control of an affected system. An
attacker could then install programs, view,
change, or delete data, or create new accounts
with full privileges. While remote code execution
is possible, an attack would most likely result in
a denial of service condition. MS05-003
ImportantThis remote code execution vulnerability
exists in the way Windows handles drag-and-drop
events. An attacker could exploit the
vulnerability by constructing a malicious Web page
that could potentially allow an attacker to save a
file on the users system if a user visited a
malicious Web site or viewed a malicious e-mail
message. MS05-008
CriticalThis remote code execution vulnerability
exists in Server Message Block (SMB). It allows an
attacker who successfully exploits this
vulnerability to take complete control of the
affected system. MS05-011
CriticalThis privilege elevation vulnerability
exists in the way that the affected operating
systems and programs access memory when they
process COM structured storage files. This
vulnerability could grant a currently logged-on
user to take complete control of the system.;This
remote code execution vulnerability exists in OLE
because of the way that it handles input
validation. An attacker could exploit the
vulnerability by constructing a malicious document
that could potentially allow remote code
execution. MS05-012
CriticalThis vulnerability exists in the DHTML
Editing Component ActiveX Control. This
vulnerability could allow information disclosure
or remote code execution on an affected system.
MS05-013
CriticalThis update resolves known vulnerabilities
affecting Internet Explorer. An attacker who
successfully exploits these vulnerabilities could
take complete control of an affected system. An
attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. MS05-014
CriticalA remote code execution vulnerability
exists in the Hyperlink Object Library. This
problem exists because of an unchecked buffer
while handling hyperlinks. An attacker could
exploit the vulnerability by constructing a
malicious hyperlink which could potentially lead
to remote code execution if a user clicks a
malicious link within a Web site or e-mail
message. MS05-015
ImportantA remote code execution vulnerability
exists in the Windows Shell because of the way
that it handles application association. If a user
is logged on with administrative privileges, an
attacker who successfully exploited this
vulnerability could take complete control of the
affected system. However, user interaction is
required to exploit this vulnerability. MS05-016
ImportantThis security bulletin resolves
newly-discovered, privately-reported
vulnerabilities affecting Windows. An attacker who
successfully exploited the most severe of these
vulnerabilities could take complete control of an
affected system. An attacker could then install
programs; view, change, or delete data; or create
new accounts with full user rights. MS05-018
CriticalThis security bulletin resolves newly
discovered, privately-reported vulnerabilities
affecting Windows. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system.
An attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. However, an attacker who
successfully exploited the most severe of these
vulnerabilities would most likely cause the
affected system to stop responding. MS05-019
CriticalThis security bulletin resolves three
newly-discovered, privately-reported
vulnerabilities affecting Internet Explorer. If a
user is logged on with administrative user rights,
an attacker who successfully exploited any of
these vulnerabilities could take complete control
of an affected system. An attacker could then
install programs; view, change, or delete data; or
create new accounts with full user rights.
MS05-020
ImportantThis security advisory explains a
discovered vulnerability in Web View. Web View is
the Windows Explorer preview pane, which is
responsible for displaying information on some
files once they are selected. Web View uses a .DLL
file, WEBVW.DLL, which is a shell Web View content
and control library. It can display information
such as file name, file type, file size, last
modification date, file attributes, file author,
etc. Web View can be exploited due to the way it
handles certain HTML characters. If a user
previews a malicious file, the malicious code can
be executed on the system. However, a certain
malware cannot propagate on its own merely by
exploiting this vulnerability, it still needs a
user to click on the affected file in order to
activate the code. Once exploited, this remote
code execution vulnerability could allow a
malicious user or a malware to take complete
control of the affected system if the user is
currently logged on with administrative
privileges. The malicious user or malware can
execute code on the system giving them the ability
to install or run programs and view or edit data
with full privileges. Thus, this vulnerability can
also be used by the malware for replication
purposes. MS05-024
CriticalThis security bulletin resolves the
following vulnerabilities affecting Internet
Explorer.; The PNG Image Rendering Memory
Corruption vulnerability could allow an attacker
to execute arbitrary code on the system because of
a vulnerability in the way Internet Explorer
handles PNG images.; The XML Redirect Information
Disclosure vulnerability could allow an attacker
to read XML data from another Internet Explorer
domain because of a vulnerability in the way
Internet Explorer handles certain requests to
display XML content. MS05-025
CriticalHTML Help is the standard help system for
the Windows platform. Authors can use it to create
online Help files for a software application or
content for a multimedia title or a Web site.
This vulnerability in HTML Help could allow
attackers to execute arbitrary code on the
affected system via a specially crafted Compiled
Windows Help (CHM) file, because it does not
completely validate input data. MS05-026
CriticalA remote code execution vulnerability
exists in the Microsofts implementation of the
Server Message Block (SMB) protocol, which could
allow an attacker to execute arbitrary codes to
take complete control over a target system. This
vulnerability could be exploited over the
Internet. An attacker would have to transmit a
specially crafted SMB packet to a target system to
exploit it. However, failure to successfully
exploit the vulnerability could only lead to a
denial of service. MS05-027
ImportantA remote code execution vulnerability
exists in Outlook Express when it is used as a
newsgroup reader. An attacker could exploit this
vulnerability by constructing a malicious
newsgroup server that could that potentially allow
remote code execution if a user queried the server
for news. MS05-030
ModerateThis vulnerability could enable an
attacker to spoof trusted Internet content because
security prompts can be disguised by a Microsoft
Agent character. MS05-032



3. The hijackthis logfile:
Logfile of HijackThis v1.99.1
Scan saved at 11:18:09, on 13-7-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Documents and Settings\render\Bureaublad\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\jorgen\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\render\Bureaublad\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domrim.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domrim.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = domrim.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


PS: I had to download the DelDomains.inf - file from the internet. I suppose that's OK (it didn't seem to be on my PC).

PPSS: could you advise me on what to do with all the virusscaners etc. after the cleanup of my PC (is it better to remove them, or can I use them to do a checkup every x days?). It appears to me that one of the problems was caused a.o. by a popup from the killbox-program (in my toolbar, witch was continuesly hiding and reappearing)

thx.
  • 0

#8
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Your log looks good now how is everything running?
  • 0

#9
griet

griet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
If you say so,

As I mentioned before, everything is running smoothly.

Thanx, you're an ace!

PS: What should I do with the 44 vulnerabilities found by the Housecall scanner?
  • 0

#10
griet

griet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Sorry, I forgot to mention, I still have this list of 'favorites-adresses', of witch I'd like to get rid of.
Can you help me with that?
  • 0

#11
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Are you talking about Favorites like bookmarks? If so you should be able to simply delete those.

The way to fix those vulnerabilities is to go to Windows update and install all "Security Updates"
  • 0

#12
griet

griet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
OK thanx,

Indeed, they seemed to disappear (and not come back after restart like they did before) after just deleting them.
I guesss my problems are over (for now),


Many thanks for your help!
  • 0

#13
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
You're Welcome! :tazz:

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
  • 0

#14
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".
  • 0

#15
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP