Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bloodhound.w32.ep, w32.desktophijack, & more (?) [RESOLVED]


  • This topic is locked This topic is locked

#31
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
EWIDO RESULTS ::

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:12:05 PM, 7/24/2005
+ Report-Checksum: 4B12D1FB

+ Scan result:

:mozilla.12:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup


::Report End
  • 0

Advertisements


#32
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
PANDA ACTIVE SCAN RESULTS ::


Incident Status Location

Spyware:spyware/iehelp No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\ipreg32.inf

Adware:adware/sahagent No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\setup4002b.ini

Adware:adware/searcher No disinfected C:\WINNT\SYSTEM32\fltmgr.bin
Spyware:spyware/wareout No disinfected C:\WINNT\SYSTEM32\loadctr32.exe

Spyware:spyware/betterinet No disinfected C:\WINNT\SYSTEM32\msexnpfi.exe

Adware:adware/portalscan No disinfected C:\WINNT\SYSTEM32\stcloader.exe

Adware:adware/superspider No disinfected C:\WINNT\SYSTEM32\system32.dll

Adware:adware/cws.searchmeup No disinfected C:\WINNT\mstasks1.exe

Adware:adware/sidesearch No disinfected C:\WINNT\sepsd.bin

Adware:adware/sbsoft No disinfected C:\WINNT\webdlg32.inf

Adware:adware/delfinmedia No disinfected C:\keys.ini

Adware:adware/mediatickets No disinfected HKEY_CLASSES_ROOT\MEDIAGATEWAYX.INSTALLER

Adware:adware/memorywatcher No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP
MANAGEMENT\ARPCACHE\MEMORYWATCHER

Adware:adware/iedriver No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{120E090D-9136-4B78-8258-F0B44B4BD2AC}

Spyware:spyware/istbar No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{faa356e4-d317-42a6-ab41-a3021c6e7d52}

Spyware:Spyware/Iehelp No disinfected C:\WINNT\Downloaded Program Files\ipreg32.inf

Adware:Adware/SAHAgent No disinfected C:\WINNT\Downloaded Program Files\setup4002b.ini :

Adware/SBSoft No disinfected C:\WINNT\webdlg32.inf

Adware:Adware/Popup.pop No disinfected C:\WINNT\winsx.inf
  • 0

#33
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
HIJACKTHIS RESULTS (after removing what you requested and all programs and scans were run) ::

Logfile of HijackThis v1.99.1
Scan saved at 5:02:22 PM, on 7/24/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\110109~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110109~1\EE\AOLServiceHost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101097927\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft® JavaScript® Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX
O9 - Extra button: Microsoft® JavaScript® Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Aces Up! by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#34
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
also, each time i play a dvd this pop up appears:

desktop:
access to the specified device, path, or file is denied.
  • 0

#35
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

Your HJT log looks a bit clean however I can still see evidences of malwares from the results of the Online scans.

I am making several diagnostics of the problem since I cannot see where they seem to be coming from.


Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.


  • 0

#36
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
RESULTS FROM SILENT RUNNER::

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AOL Fast Start" = ""C:\Program Files\America Online 9.0d\AOL.EXE" -b" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"Speed racer" = "C:\Program Files\Creative\PlayCenter\CTSRReg.exe" ["Creative Technology Ltd."]
"AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative Technology Ltd."]
"UpdReg" = "C:\WINNT\Updreg.exe" ["Creative Technology Ltd."]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"HPDJ Taskbar Utility" = "C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"AOL Spyware Protection" = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online"]
"Pure Networks Port Magic" = ""C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run" ["Pure Networks, Inc."]
"HostManager" = "C:\Program Files\Common Files\AOL\1101097927\EE\AOLHostManager.exe" ["America Online, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{891F132B-E4BE-4C41-8589-3CABE2558F0C}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\araamon.dll" [file not found]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "NVDESK32.DLL" ["NVIDIA Corporation"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cstyf.exe" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Jeremy Williamson\My Documents\0403georgeshoe.jpg"


Startup items in "Jeremy Williamson" & "All Users" startup folders:
-------------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Quicken Scheduled Updates" -> shortcut to: "C:\QUICKENW\bagent.exe" ["Intuit Inc."]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{FDC11D31-DBBE-450D-8E06-78A1061E312F}\
"ButtonText" = "Microsoft® JavaScript® Console"
"MenuText" = "JavaScript Console"

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FDC11D31-DBBE-450D-8E06-78A1061E312F}\
"ButtonText" = "Microsoft® JavaScript® Console"
"MenuText" = "JavaScript Console"


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.aol.com

Missing lines (compared with English-language version):
[Strings]: 1 line


HOSTS file
----------

C:\WINNT\System32\drivers\etc\HOSTS

maps: 2 domain names to IP addresses,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["America Online"]
AOL TopSpeed Monitor, AOL TopSpeedMonitor, "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" ["America Online, Inc"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINNT\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINNT\wanmpsvc.exe"" ["America Online, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 50 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 87 seconds)
  • 0

#37
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Copy everything in the quote box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixware.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Double-click fixware.reg and when asked if you want to merge with the registry click YES.

After the merged successfully prompt, please reboot your computer.

After reboot, please download RKFiles from HERE
  • Unzip RKfiles.zip to the desktop
  • Double-click RKFiles.bat to run it.
    • It may take a while.
  • When it is finished a window should appear with a log.
  • Please copy the contents of the log and paste them here
    • Note: the log with be saved at c:\log.txt

  • 0

#38
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
alrighty, here are the results for rkfiles:

C:\Documents and Settings\Jeremy Williamson\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\gpsresl32.exe: FSG!
C:\WINNT\system32\msexnpbi.exe: FSG!
C:\WINNT\system32\msexnpfi.exe: FSG!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\tsc.exe: UPX!
C:\WINNT\Unwash5.exe: UPX!
C:\WINNT\vsapi32.dll: UPX!t4
Finished
bye
  • 0

#39
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

Download Lavasoft's VX2 Cleaner plug-in HERE
  • Install the VX2 Cleaner
  • Start Ad-Aware SE
  • Go to "Plug-ins"
  • Select the VX2 Cleaner plug-in and click "Run Plugin"
  • If your computer isn't infected, click "Close".
If your computer is infected
  • Select "Clean system"
  • Reboot your computer
  • Scan your computer with Ad-Aware
  • Remove any VX2 objects detected
  • Reboot your computer again
  • Run a second scan to make sure the files have been removed from your computer
Reboot your PC.

Click HERE to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click Killbox.exe to run it.

Select "Delete on Reboot".

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C


C:\WINNT\system32\gpsresl32.exe
C:\WINNT\system32\msexnpbi.exe
C:\WINNT\system32\msexnpfi.exe



Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart in SAFE MODE and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"


If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Reboot in NORMAL MODE.

Go to this website http://virusscan.jotti.org/
Be sure to View Hidden and System Files.
Locate C:\WINNT\Unwash5.exe submit it for analysis then post the results here.

Post a new HijackThis log as well as from the new RKFiles.bat log.
  • 0

#40
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
HIJACKTHIS LOG ::

Logfile of HijackThis v1.99.1
Scan saved at 2:19:30 PM, on 7/26/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\110109~1\EE\AOLHOS~1.EXE
C:\Program Files\America Online 9.0d\waol.exe
C:\PROGRA~1\COMMON~1\AOL\110109~1\EE\AOLServiceHost.exe
C:\Program Files\America Online 9.0d\shellmon.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101097927\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft® JavaScript® Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX
O9 - Extra button: Microsoft® JavaScript® Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Aces Up! by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

Advertisements


#41
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
JOTTI VIRUS SCAN RESULTS ::
(i'm not sure which results you needed, so i'm posting whatever's on the page)

Service load: 0% 100%

File: Unwash5.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 a656a6d56316a48907ff762fffacb8dc
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


Statistics
Last file scanned at least one scanner reported something about: Trojan-Downloader.Win32.IstBar.ki in callofdutykeygenbyunknown_QgJrUuVvZxYdNhNe.zip, detected by:

Scanner Malware name
AntiVir TR/Dldr.IstBar.JA
ArcaVir Trojan.Downloader.Istbar.Ki
Avast X
AVG Antivirus X
BitDefender Trojan.Downloader.Istbar.KI
ClamAV Trojan.Downloader.Isbar-156
Dr.Web Trojan.Isbar.296
F-Prot Antivirus X
Fortinet W32/IstBar.KI-tr
Kaspersky Anti-Virus Trojan-Downloader.Win32.IstBar.ki
NOD32 X
Norman Virus Control X
UNA X
VBA32 X
  • 0

#42
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
THE RKFILES RESULTS ::

C:\Documents and Settings\Jeremy Williamson\Desktop\malware stuff

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\tsc.exe: UPX!
C:\WINNT\Unwash5.exe: UPX!
C:\WINNT\vsapi32.dll: UPX!t4
Finished
bye
  • 0

#43
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
also ::

-the vx2cleaner found that my system was clean.

-killbox.exe successfully deleted those 3 files (on the second run in safe mode, they weren't found).
  • 0

#44
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

Very good imbiginjapan, you just did it very well! Cheers your system is now A-OK



You can now uninstall / remove these programs:

ewido (trial)
hijackthis
silent runner
FxIstbar.exe
killbox

:yes: :) :tazz: :( :woot: :tazz: :huh: :( :wub: :hug: :woot:

Congratulations! ;) your system is CLEAN!

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?
  • 0

#45
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
thank you so much for everything. you were such a great help and i don't know what i would've done without you.

thanks again and take care.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP