Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Desk Top Hijack and Others [CLOSED]

Started by BStone , Aug 08 2005 12:07 PM

This topic is locked

#1
BStone

Posted 08 August 2005 - 12:07 PM

New Member

Member
3 posts

Somehow I logged onto my computer today and it was totally screwed up. I don't know who did it, nor do I care. I just need some help taking out this stuff. I have tried Spybot and CWShredder, neither have gotten rid of the nasty stuff. Heres the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 2:03:11 PM, on 8/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\MotorolaDAP.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\intell32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ipsz.exe
C:\WINDOWS\System32\intell32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\system32\sdkrm.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian.HP29447202212\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebsl...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebsl...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp41C9.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [ipsz.exe] C:\WINDOWS\ipsz.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O15 - Trusted Zone: http://www.vb4all.net
O16 - DPF: {6593739B-94DD-4CBC-867E-588840FB776B} (pIRCy.pIRCyx) - http://www.vb4all.net/fc/pIRCy.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21B1E13D-0CC0-4DF4-B5A8-72A46740D96F}: NameServer = 24.29.1.219,24.29.1.218
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFD5CE69-ADA6-4676-94F3-4AA9AE0212EB}: NameServer = 24.29.1.219,24.29.1.218
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkrm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - C:\WINDOWS\System32\MotorolaDAP.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#2
BStone

Posted 08 August 2005 - 12:13 PM

New Member

Topic Starter
Member
3 posts

#3
greyknight17

Posted 08 August 2005 - 12:47 PM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

Please do not create duplicate topics. Be patient, you posted them in less than 10 minutes apart :tazz:

Some users wait here for days. I merged them together.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download cwsserviceremove http://www.greyknigh...rviceremove.zip and unzip it to your desktop. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebsl...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebsl...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp41C9.tmp
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [ipsz.exe] C:\WINDOWS\ipsz.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkrm.exe

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Delete these if found:

C:\WINDOWS\System32\hp41C9.tmp
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\ipsz.exe
C:\WINDOWS\System32\intell32.exe
C:\WINDOWS\system32\sdkrm.exe

Run cwsserviceremove.reg and say yes to add it to the registry.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis, Panda ActiveScan, smitfiles.txt and Ewido.

#4
BStone

Posted 08 August 2005 - 05:17 PM

New Member

Topic Starter
Member
3 posts

You guys seriously rule! My computer is a lot better, however here are the logs you asked for.

FIND IT LOG

------------------------------

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 08/08/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\NPKCSVC.EXE
* UPX! C:\WINDOWS\IFINST27.EXE

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 58D4-0625

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 58D4-0625

Directory of C:\WINDOWS\system32

08/08/2005 05:30 PM 1,406 AddQuit.ico
08/08/2005 05:30 PM 9,470 Desktop.ico
08/08/2005 05:30 PM 1,406 Help.ico
08/08/2005 05:30 PM 5,350 IE.ico
08/08/2005 05:30 PM 1,718 Open.ico
08/08/2005 05:30 PM 1,718 Quick.ico
08/08/2005 05:30 PM 2,550 Uninstall.ico
7 File(s) 23,618 bytes
0 Dir(s) 2,408,194,048 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

END OF FIND IT LOG

------------------------------------------

Panda Activescan LOG

Incident Status Location

Spyware:spyware/cydoor No disinfected C:\WINDOWS\cache277
Adware:adware/savenow No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-50c9a229-78b4719e.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-50c9a229-78b4719e.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5be9df7-61c2ec35.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nocheat.jar-11f63847-313eaf19.zip[Dummy.class]
Virus:W32/Magistr.B Disinfected Archive Folders\Deleted Items\Highsmith: It is a great.\letter.bat
Virus:W32/Zafi.B.worm Disinfected Personal Folders\Deleted Items\Don`t worry, be happy!\www.ecard.com.funny.picture.index.nude.php356.pif
Virus:W32/Magistr.B Disinfected Personal Folders\Deleted Items\Highsmith: It is a great.\letter.bat
Virus:W32/Zafi.B.worm Disinfected Personal Folders\Deleted Items\Don`t worry, be happy!\www.ecard.com.funny.picture.index.nude.php356.pif
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-2d1d9b17-570b83d6.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-50c9a229-18b29f85.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5aa61af4-73f59a11.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv102.jar-7fb6d57-7cdaaef5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv233.jar-6327cb56-1a254892.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv233.jar-6327cb56-1a254892.zip[Matrix.class]
Virus:Exploit/iFrame Disinfected Archive Folders\Deleted Items\Deleted Items\Re: Let's be friends\reply.htm
Virus:W32/Bugbear.B Disinfected Archive Folders\Deleted Items\Deleted Items\RE: TFT Meeting\United Defense Presentation.ppt.pif
Virus:W32/Magistr.B Disinfected Archive Folders\Deleted Items\Deleted Items\Net [email protected] 2 August.\Instrument.bat
Virus:W32/Zafi.B.worm Disinfected Archive Folders\Deleted Items\Don`t worry, be happy!\www.ecard.com.funny.picture.index.nude.php356.pif
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Erica\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-6d181bc9-1365b77d.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Erica\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nocheat.jar-11f63847-5a8f3e58.zip[Dummy.class]
Possible Virus. No disinfected C:\Downloads\Mir3Full.exe
Possible Virus. No disinfected C:\Downloads\skyblade\SkyBlade_Client\Patch.psh
Possible Virus. No disinfected C:\Downloads\skyblade.zip[Patch.psh]

END PANDA

---------------------------------

SMITFILES

smitRem log file
version 2.3

by noahdfear

The current date is: Mon 08/08/2005
The current time is: 15:12:41.21

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

intell32.exe
oleext.dll
wppp.html
intmonp.exe
msmsgs.exe
ole32vbs.exe
msole32.exe
shnlog.exe
intmon.exe
hhk.dll
logfiles

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

uninstIU.exe
sites.ini
popuper.exe

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN! :tazz:

END SMITFILES

--------------------------------

EWIDO

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:23:15 PM, 8/8/2005
+ Report-Checksum: BBF997E5

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{3CE36D52-D914-5BA5-C0E2-3F53AE992ABB} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8138EE4F-2AC5-6CBF-E88D-A0A94EE71F0C} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-50c9a229-78b4719e.zip/Gummy.class -> Trojan.Java.Femad : Error during cleaning
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5be9df7-61c2ec35.zip/Gummy.class -> Trojan.Java.Femad : Error during cleaning
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nocheat.jar-11f63847-313eaf19.zip/Matrix.class -> TrojanDownloader.OpenConnection.s : Error during cleaning
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-2d1d9b17-570b83d6.zip/Gummy.class -> Trojan.Java.Femad : Error during cleaning
C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-2d1d9b17-570b83d6.zip/Beyond.class -> Trojan.Java.ClassLoader.k : Error during cleaning
C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-50c9a229-18b29f85.zip/Gummy.class -> Trojan.Java.Femad : Error during cleaning
C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5aa61af4-73f59a11.zip/Gummy.class -> Trojan.Java.Femad : Error during cleaning
C:\Documents and Settings\Debra\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Debra\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Erica\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-6d181bc9-1365b77d.zip/Gummy.class -> Trojan.Java.Femad : Error during cleaning
C:\Documents and Settings\Erica\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nocheat.jar-11f63847-5a8f3e58.zip/Matrix.class -> TrojanDownloader.OpenConnection.s : Error during cleaning
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\erica@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\erica@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\erica@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\erica@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][2].txt -> Spyware.Cookie.Adbutler : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][1].txt -> Spyware.Cookie.I12 : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\erica@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\erica@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Erica.HP29447202212\Cookies\[email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\ms32.tmp -> TrojanDownloader.Small.azk : Cleaned with backup
C:\RECYCLER\NPROTECT\00174439.TXT -> Spyware.Cookie.Onestat : Cleaned with backup
C:\RECYCLER\NPROTECT\00174441.TXT -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\RECYCLER\NPROTECT\00174445.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00174455.TXT -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\RECYCLER\NPROTECT\00174463.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00175961.TXT -> Spyware.Cookie.Adocean : Cleaned with backup
C:\RECYCLER\NPROTECT\00175967.TXT -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\RECYCLER\NPROTECT\00175968.TXT -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\RECYCLER\NPROTECT\00175969.TXT -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\RECYCLER\NPROTECT\00176014.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00176015.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00180073.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00180074.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00180402.TXT -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\RECYCLER\NPROTECT\00180532.TXT -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\RECYCLER\NPROTECT\00180783.EXE -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\RECYCLER\NPROTECT\00180788.EXE -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\RECYCLER\NPROTECT\00180796.dll -> TrojanDownloader.Agent.li : Cleaned with backup
C:\RECYCLER\NPROTECT\00180798.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00180811.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00180820.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181413.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181427.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181635.exe -> Dialer.Generic : Cleaned with backup
C:\RECYCLER\NPROTECT\00181708.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181725.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181728.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181737.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181740.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181741.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181744.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181753.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181756.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181762.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181767.TXT -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\RECYCLER\NPROTECT\00181778.TXT -> Spyware.Cookie.Spylog : Cleaned with backup
C:\RECYCLER\NPROTECT\00181786.TXT -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\RECYCLER\NPROTECT\00181800.TXT -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\RECYCLER\NPROTECT\00181807.TXT -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\RECYCLER\NPROTECT\00181809.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00181819.TXT -> Spyware.Cookie.Adocean : Cleaned with backup
C:\RECYCLER\NPROTECT\00181820.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00181856.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181898.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181900.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00181976.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182040.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182048.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182061.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182096.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182148.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182167.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182208.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182224.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182226.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182230.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182241.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182245.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182251.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182252.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00182253.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\S-1-5-21-4152783838-1037494192-3789139140-1009\Dc1.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlww32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3au.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\explorer.scf:edqgah -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\ieby.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipsz.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\msdfmap.ini:idtwe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32:mmaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\addtr.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\appzl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3yn.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\mfcwg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netpv32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ghyktn -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:mjuux -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:nwoefm -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:vvvzlj -> TrojanDownloader.Agent.bc : Cleaned with backup

::Report End

END EWIDO

----------------

Whats the final verdict?

#5
greyknight17

Posted 08 August 2005 - 09:50 PM

Malware Expert

Visiting Consultant
16,560 posts

Boot into Safe Mode. Delete these if found:

C:\Downloads\Mir3Full.exe
C:\Downloads\skyblade\SkyBlade_Client\Patch.psh - unless you know what this is and are 100% sure it's safe to keep, delete it
C:\Downloads\skyblade.zip - unless you know what this is and are 100% sure it's safe to keep, delete it
C:\WINDOWS\cache277
C:\WINDOWS\system32\AddQuit.ico
C:\WINDOWS\system32\Desktop.ico
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\IE.ico
C:\WINDOWS\system32\Open.ico
C:\WINDOWS\system32\Quick.ico
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\IFINST27.EXE

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

Restart and post a new Panda log and a new HijackThis log.

#6
greyknight17

Posted 26 August 2005 - 08:14 PM

Malware Expert

Visiting Consultant
16,560 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.