ok here are my logs
smitRem log file
version 2.2
by noahdfear
The current date is: 24/07/2005
The current time is: 14:36:48.25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
oleext.dll
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 15:28:29, 24/07/2005
+ Report-Checksum: B59C8BB2
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-3781ef88-6f814aa5.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-7138915e-6c2ed427.class -> Trojan.Byteverify : Cleaned with backup
C:\DocNSet\Administrator\Cookies\
[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\DocNSet\Administrator\Cookies\administrator@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\DocNSet\Administrator\Cookies\
[email protected][2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\DocNSet\Administrator\Cookies\administrator@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\DocNSet\Administrator\Cookies\
[email protected][2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\DocNSet\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0DEV8PQN\gba1865[1].exe -> Dialer.Generic : Cleaned with backup
C:\DocNSet\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YPORU98T\dba1865[1].exe -> Dialer.Generic : Cleaned with backup
C:\hijackthis\backups\backup-20050704-053619-307.dll -> Trojan.Puper.m : Cleaned with backup
C:\hijackthis\backups\backup-20050704-053641-710.dll -> Trojan.Puper.m : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dba1865.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gba1865.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\wininv.dll -> Backdoor.Prorat.11.a : Cleaned with backup
C:\WINDOWS\winlogon.exe -> Backdoor.Prorat.14 : Cleaned with backup
::Report End
Incident Status Location
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-3f7f89b7.zip[a.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-3f7f89b7.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-3f7f89b7.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-4b7d4689.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-4b7d4689.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-4b7d4689.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-4b7d4689.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-26cce157.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-26cce157.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-26cce157.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-26cce157.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-1b445d50.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-1b445d50.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-1b445d50.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-1b445d50.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-28f5d321.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-28f5d321.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-28f5d321.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-28f5d321.zip[Installer.class]
Virus:Bck/Ciadoor.D Disinfected C:\WINDOWS\system31.ere
Logfile of HijackThis v1.99.1
Scan saved at 22:48:18, on 24/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zoom\CnxDslTb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess -
http://download.game...nts/y/ct2_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
http://messenger.zon...kr.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -
http://messenger.zon...er.cab31267.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupd...b?1115472184046O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zon...nt.cab31267.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{7653D3A3-D40F-4652-AA80-5CCC7ED903B8}: NameServer = 192.168.0.1
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UPS - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
thank u