Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Help Desperately Needed [RESOLVED]

Started by pcochrane , Jul 20 2005 11:57 AM

  • This topic is locked This topic is locked

#16
Crustyoldbloke
Posted 24 July 2005 - 05:12 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again PCochrane

Did you carry out the fix?

This doesn't sound like malware to me. But in order to err on the side of caution, run this to see if there is something that we cannot see.

Download FindIt.zip to your desktop:
FindIt.zip

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt.bat and wait for notepad to open a text file. It may take awhile so please be patient.
3. Then post the results here along with a new HJT log

Please try not to reboot until I check the contents of the Findit log...
  • 0

Advertisements

#17
pcochrane
Posted 25 July 2005 - 04:09 PM

pcochrane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ok...here's the HJT log....


Logfile of HijackThis v1.99.1
Scan saved at 6:04:14 PM, on 07/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\COMMON~1\AOL\112008~1\EE\AOLHOS~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\COMMON~1\AOL\112008~1\EE\AOLServiceHost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Documents and Settings\Owner\Desktop\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Yahoo!\Antivirus\autodown.exe


and here is the Ewido log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:51:50 PM, 07/25/2005
+ Report-Checksum: E56D9F95

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Ignored
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Ignored
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> Spyware.Cookie.Hitbox : Ignored
C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt -> Spyware.Cookie.Overture : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\atrc8parb_.exe -> Adware.SAHA : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\liqp7c25q_.dll -> Adware.SAHA : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\RNNB7SFJ.dll -> Adware.SAHA : Ignored
HKLM\SOFTWARE\Classes\Interface\{205FF73A-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{205FF72E-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbar -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\unebmm350 -> Spyware.MoneyMaker : Cleaned with backup
HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
C:\a3643fds.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\a3643fds.exe/kans.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\dffjj.exe/kans.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\dffjj.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\578MXIUQ\Bridge-c139[1].cab/MediaGatewayX.dll -> Spyware.WinAD : Error during cleaning
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\578MXIUQ\d[1].exe/kans.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\578MXIUQ\d[1].exe/kansup.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MAZTC8MX\lg[1].exe/kansup.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MAZTC8MX\lg[1].exe/kans.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\180sainstallernusac.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ICD1.tmp\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ICD2.tmp\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ICD3.tmp\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ICD4.tmp\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ICD5.tmp\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ICD6.tmp\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ICD7.tmp\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\THI71B1.tmp\imGiant.cab/imGiant.dll -> Adware.BetterInternet : Error during cleaning
C:\Documents and Settings\Owner\Local Settings\Temp\THI71B1.tmp\imGiant.dll -> Adware.BetterInternet : Cleaned with backup
C:\e5ygh.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\e5ygh.exe/kans.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\g64fff4.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\g64fff4.exe/kans.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\l9uk7fh.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\l9uk7fh.exe/kans.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\lg.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\lg.exe/kans.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc1.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc10.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc12.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc13.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc14.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc15.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc16.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc19.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\bar\1.bin\F3HISTSW.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\bar\1.bin\F3HTMLMU.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\bar\1.bin\F3POPSWT.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\bar\1.bin\F3PSSAVR.SCR -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\bar\1.bin\F3RESTUB.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\bar\1.bin\F3SCHMON.EXE -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\bar\1.bin\F3WPHOOK.DLL -> Spyware.Wesbar : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\bar\1.bin\M3OUTLCN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\bar\1.bin\M3SKIN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\bar\1.bin\MWSOESTB.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-75778774-2061035318-3407411993-1003\Dc22\SrchAstt\1.bin\MWSSRCAS.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\temp\180SAInstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\imGiant.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\slipit.exe/dreese.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\WINDOWS\split.exe/dreese.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\WINDOWS\system32\2nse9n0v.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\cigwxy.dll -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\msconfig32.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\Sxlhsn.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\Temp\180sainstallersilsais1.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Error during cleaning
C:\WINDOWS\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Error during cleaning
C:\xdf5r.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\xdf5r.exe/kans.reg -> Trojan.WinREG.LowZones.f : Error during cleaning


::Report End

I will await your reply!!
Seems to be running well!!
Do I have to keep all of this stuff on my computer?? Or can I get rid of some of it?
thanks again for all of your help!!!
:tazz:
  • 0

#18
pcochrane
Posted 25 July 2005 - 04:10 PM

pcochrane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
haven't gotten to the zip it log yet!! I will try this evening!!
thanks
  • 0

#19
Crustyoldbloke
Posted 25 July 2005 - 05:24 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

The last HJT log you submitted appears to be a little shorter than usual. Pleas resubmit it in its entirety.

Your Ewido log, for some reason, appears to show many of the problems with either an Error during cleaning status or an ignored status. Neither are good.

To be doubly sure that we are moving in the right direction, Please visit TrendMicro for an online scan.

Then please repeat the Ewido scan and post back a fresh HJT log.

Edited by Crustyoldbloke, 25 July 2005 - 05:32 PM.

  • 0

#20
pcochrane
Posted 25 July 2005 - 05:32 PM

pcochrane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
some of the Ewido said that it could not fix a couple because they were embedded, and asked if I wanted to delete the whole thing, thought to be better safe than sorry!! I will run a new HJT and then run the Ewido again if you tell me that it's ok to delete entire files?
  • 0

#21
Crustyoldbloke
Posted 26 July 2005 - 01:43 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
It is very rare for Ewido to make an error although it has been known. The only time you should not delete a file is if YOU KNOW it to be a legitimate application.

This infection you have is a very nasty and persistent one.
  • 0

#22
pcochrane
Posted 26 July 2005 - 05:03 AM

pcochrane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ok....I will run it again when I get home from work ( that's where I am currently at so I am unable to run it right now). There were a couple of things that it found that I wasn't sure exactly what it was or if I needed it so I kept it! But if you say that the ones listed with errors need deleted than that's the way it will be done!! Thanks again for all of your help! As far as the HJT log...I will run that again once the Ewido is done!
  • 0

#23
pcochrane
Posted 27 July 2005 - 05:17 AM

pcochrane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ok...I don't want this topic shut down or closed so I needed to post this... last night we were hit with some pretty hard storms so I didn't think that was the time to be trying to fix my computer!! And the next couple of days are jam packed w/ extra curricular activities w/ my kids so I won't have a chance to get to the puter until Friday afternoon! Just wanted to let you know so you don't think I have tried to ditch this!! thanks again!!!
  • 0

#24
Crustyoldbloke
Posted 27 July 2005 - 05:45 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Thanks for the heads up. I will keep the thread open.
  • 0

#25
pcochrane
Posted 27 July 2005 - 10:05 AM

pcochrane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thank you very much!!!!
  • 0

Advertisements

#26
pcochrane
Posted 29 July 2005 - 02:55 PM

pcochrane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ok....below is the ewido suite log and the HJT log....let me know!! Seems to be running really well right now!!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:43:55 PM, 07/29/2005
+ Report-Checksum: 6621F6AB

+ Scan result:

C:\a3643fds.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\a3643fds.exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\dffjj.exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\dffjj.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\578MXIUQ\Bridge-c139[1].cab/MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\578MXIUQ\d[1].exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\578MXIUQ\d[1].exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MAZTC8MX\lg[1].exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MAZTC8MX\lg[1].exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\e5ygh.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\e5ygh.exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\g64fff4.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\g64fff4.exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\l9uk7fh.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\l9uk7fh.exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\lg.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\lg.exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\xdf5r.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\xdf5r.exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 4:46:41 PM, on 07/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120087211\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://kwikemart.int.uhs.com/qp2.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://hqmail01.int....com/iNotes.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120935028592
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} (AOL YGP Screensaver) - http://pak01.picture...US.9.1.6.20.cab
O16 - DPF: {A6A216EB-4F7C-11D5-8438-0000B456BA3D} (Matn5250 Control) - https://workflow.int...50/matn5250.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Owner\Desktop\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#27
Crustyoldbloke
Posted 29 July 2005 - 05:38 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
MOST IMPORTANT: You should update Windows and Internet Explorer to get all the Latest Security Patches to protect your computer from the malware that is around on the internet.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one.

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one spyware detector/prevention programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep Windows and your Anti-Virus updated. ;)

Happy safe surfing PCochrane!
  • 0

#28
pcochrane
Posted 30 July 2005 - 10:52 AM

pcochrane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thank you once again for all of your great help!! I was about ready to ditch the box!! I don't know that I could've gotten through this nasty little virus without your help!!
thanks again!!!!!
  • 0

#29
Crustyoldbloke
Posted 08 August 2005 - 05:35 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP