Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WormAlcana [RESOLVED]


  • This topic is locked This topic is locked

#1
macron

macron

    New Member

  • Member
  • Pip
  • 5 posts
Please help here is my log file. :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 1:08:29 AM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\p2pnetworking.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Ryan\Desktop\hijackthis_199\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Ryan\Desktop\l2mfix\second.bat
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122427801498
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
macron

macron

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sry bout the double post...my network is lagging out. I've also read other posts on this same problem but it look to be user specific when it comes to deleting things and such. Any help is appreciated....not going to sleep till this things is dead :tazz:
  • 0

#3
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Ryan and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated. Let’s see what we can do with the first sweep. BTW, you owe me a beer!

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
Ewido Security Suite
Spybot S&D
Ad-Aware

Please install Spybot search & destroy, open it, update it, immunize it, and perform a scan. When it has completed, ensure that you check everything it finds coloured Red only before clicking Fix Selected Problems. If Spybot requests starting again at reboot to clear memory resident malware, please ensure you click YES, giving it permission to do so.

Install Ad-Aware and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page.

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Install Ewido Security Suite.
  • Install Ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
    • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.
  • The programme will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
Now that the updates have been installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with Ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If Ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop and include it in your reply.
Now close Ewido security suite.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Ryan\Desktop\l2mfix\second.bat

Now close all windows other than HiJackThis, then click Fix Checked. .

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Winupdate

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\winupdate\
C:\Documents and Settings\Ryan\Desktop\l2mfix\

Close Windows Explorer

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

and I will take another look.

Post back a fresh HijackThis log and I will take another look.
  • 0

#4
macron

macron

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Finally done... :tazz: Winupdate was not present in my Add/Remove List, however, I did find it in the Program Files and deleted it. Here are the logs :

Logfile of HijackThis v1.99.1
Scan saved at 5:16:34 AM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Documents and Settings\Ryan\Desktop\hijackthis_199\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122427801498
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:06:08 AM, 8/9/2005
+ Report-Checksum: 559308E9

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKU\S-1-5-21-854245398-1957994488-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} -> Spyware.Antispykeylog : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\iaj74nom.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-6b42b541-15a46d18.class -> Trojan.Java.ClassLoader.f : Cleaned with backup
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4e92308d-20f9fc3a.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-b217405-58f4453a.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-1994f8a3-4b14c9a1.class -> Trojan.Byteverify : Cleaned with backup
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-22aa6f9b-57ec2770.class -> Trojan.Byteverify : Cleaned with backup
C:\Documents and Settings\Ryan\My Documents\Downloads\wpepro_0.9a.rar/wpepro 0.9a\WPE PRO.exe -> Not-A-Virus.Sniffer.WpePro.a : Cleaned with backup
C:\Documents and Settings\Ryan\My Documents\Downloads\wpepro_0.9a.rar/wpepro 0.9a\WpeSpy.dll -> Not-A-Virus.Sniffer.WpePro.a : Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Common Files\eqblspqn\cfpplell\bltuqeps.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\eqblspqn\eempntdppl\ottsqfnbb.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\winupdate\winupdate.exe -> Trojan.Crypt.e : Cleaned with backup
C:\WINDOWS\system32\p2pnetworking.exe -> Backdoor.Rbot.rc : Cleaned with backup
C:\xz.exe -> Backdoor.Rbot.rc : Cleaned with backup


::Report End

P.S. Whats with the YahooPager....i don't want or need it....I hate yahoo ;)

Edited by macron, 09 August 2005 - 06:33 AM.

  • 0

#5
macron

macron

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sry for the second post but there was good and bad news. Upon system restart in normal mode....I ran ad-aware and only 10 out of the 11 WormAlcana elements were deleted. Here's what was left:

Win32.P2P-Worm.Alcan.a Object Recognized!
Type : File
Data : A0038765.dll
TAC Rating : 8
Category : Worm
Comment :
Object : C:\System Volume Information\_restore{06E7FEA4-761E-4FEF-977A-5709D15EC7FD}\RP167\
FileVersion : 3.0.2.0
ProductVersion : 3.02
ProductName : BigSpeed Zip DLL
CompanyName : BigSpeedSoft
InternalName : bszip.dll
LegalCopyright : © BigSpeedSoft
LegalTrademarks : BigSpeed is a trademark of BigSpeedSoft
OriginalFilename : bszip.dll


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 5




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

5:43:06 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:04:41.776
Objects scanned:102340
Objects identified:1
Objects ignored:0
New critical objects:1

:tazz:
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one.

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one spyware detector/prevention programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep Windows and your Anti-Virus updated. ;)

If you don't want the Yahoo pager entry, please run HJT and delete it, no problem, but it is legitimate and not a pest. The reason only 10 of the 11 elements were deleted was because the last bit was in system restore, which we have now taken care of.

Happy safe surfing Ryan!
  • 0

#7
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP