Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

JAVA VIRUS(ES) / CANT DELETE [CLOSED]


  • This topic is locked This topic is locked

#16
gatsu

gatsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello...followed your latest steps, found no problems when I ran the MRT.

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 9:37:18 AM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\valve\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [diagent] C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: pcexp - C:\WINDOWS\Fonts\pcexp.dll (file missing)
O20 - Winlogon Notify: ssvc - C:\WINDOWS\repair\ssvc.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)



I also ran another Panda scan and gave me this:


Incident Status Location

Adware:adware/savenow No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Glen\Desktop\l2mfix\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Glen\Desktop\l2mfix\l2mfix.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~195304.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~550876.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~554886.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~951652.tmp



What are these .tmp files I can't get rid of? Are they malicious?

Thank you Rawe. :tazz: ;)
  • 0

Advertisements


#17
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again!
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\WINDOWS\repair\ssvc.dll
  • Click on the submit button
  • Please post the results in your next reply.
Repeat this step for; C:\WINDOWS\Fonts\pcexp.dll

- Rawe :tazz:
  • 0

#18
gatsu

gatsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ssvc.dll gave me this message
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

C:\WINDOWS\Fonts\pcexp.dll gave me the same message as well.
  • 0

#19
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, can you run HiJackThis and fix these objects;

O20 - Winlogon Notify: pcexp - C:\WINDOWS\Fonts\pcexp.dll (file missing)
O20 - Winlogon Notify: ssvc - C:\WINDOWS\repair\ssvc.dll (file missing)


Remember to close any other open windows when you hit "Fix Checked".

Reboot and let me know how's it running now.
  • 0

#20
gatsu

gatsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi,

I got rid of those two files and the system seems to be running better now.

I was just curious as to what these .tmp files are ? I did another panda scan, here is the log:


Incident Status Location

Adware:adware/savenow No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\user\Desktop\l2mfix\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\user\Desktop\l2mfix\l2mfix.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~195304.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~550876.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~554886.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~951652.tmp


thank you very much for your time
  • 0

#21
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Can you do the following steps;

Please print these instructions out, or write them down, as you can't read them during the fix.

First;

Please download Ewido Security Suite it is a free version of the program.
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT run a scan yet.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Now open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Reboot back into normal mode and post me a new Panda log along with the Ewido one .

- Rawe :tazz:
  • 0

#22
gatsu

gatsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello again,

Here's my Ewido results:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:27:52 PM, 8/12/2005
+ Report-Checksum: 8E9E4568

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
:mozilla.12:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.58:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.59:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.66:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.71:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.72:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.73:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.97:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.100:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.101:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.102:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.103:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.104:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.105:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.108:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.109:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.110:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.111:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.112:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.118:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.119:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.120:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.121:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.122:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.123:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.124:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.132:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.133:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.134:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.135:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.136:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.155:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.156:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.159:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.160:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.164:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.165:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.169:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.170:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.172:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.173:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.174:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.175:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.177:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.179:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.180:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.181:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.182:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.183:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.184:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.37a\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\user\My Documents\Anti-Hack\patchmonitor.zip/OSSMTP.dll -> TrojanSpy.Bancos : Error during cleaning
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\WINDOWS\IFinst25.exe -> Backdoor.Ifinst : Cleaned with backup
C:\WINDOWS\system32\OSSMTP.dll -> TrojanSpy.Bancos : Cleaned with backup
C:\WINDOWS\Temp\~195304.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\WINDOWS\Temp\~550876.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\WINDOWS\Temp\~554886.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\WINDOWS\Temp\~951652.tmp -> TrojanDownloader.WinTool : Cleaned with backup


::Report End


As for the Panda Scan.....I'm not sure whats happening. After I click on my computer to scan, it says "Scanning" but nothing happens. After several minutes it starts working properly. It finds some files but after 5 minutes it just closes my browser & scan.
I'll keep trying and see if I can get a log.
  • 0

#23
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ewido cleaned up nicely. :tazz:

See if you can delete this file;
C:\Documents and Settings\user\My Documents\Anti-Hack\patchmonitor.zip/OSSMTP.dll

If you can't, try in Safe Mode, if you can't even in Safe Mode.. Let me know.
  • 0

#24
gatsu

gatsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I just deleted the zip file.

Is there another reliable online scan I could use...panda still doesn't work properly.
  • 0

#25
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Maybe try few of these;

F-secure
Trend Micro
BitDefender
AuditMyPc
eTrust
Shields Up
RAV
Kaspersky
A2 (Trojan scan.)

- Rawe :tazz:
  • 0

Advertisements


#26
gatsu

gatsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Heres a logfile from Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, August 14, 2005 10:03:22
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/08/2005
Kaspersky Anti-Virus database records: 143503
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 43081
Number of viruses found: 4
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 1892 sec

Infected Object Name - Virus Name
C:\Documents and Settings\user\Desktop\l2mfix\l2mfix\Process.exe Infected: not-a-virus:RiskTool.Win32.Processor.20
C:\Documents and Settings\user\Desktop\l2mfix\l2mfix.exe/l2mfix/Process.exe Infected: not-a-virus:RiskTool.Win32.Processor.20
C:\Documents and Settings\user\Desktop\l2mfix\l2mfix.exe Infected: not-a-virus:RiskTool.Win32.Processor.20
C:\Downloads\cs1005.exe/WISE0024.BIN Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\Downloads\cs1005.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\Downloads\DivXPro511Adware.exe/stream/data0019 Infected: not-a-virus:AdWare.Gator.3202
C:\Downloads\DivXPro511Adware.exe/stream Infected: not-a-virus:AdWare.Gator.3202
C:\Downloads\DivXPro511Adware.exe Infected: not-a-virus:AdWare.Gator.3202
C:\Downloads\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Downloads\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Sierra\Counter-Strike\hltv.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\WINDOWS\system32\Process.exe Infected: not-a-virus:RiskTool.Win32.Processor.20

Scan process completed.
  • 0

#27
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello!

Delete these files;

C:\Downloads\cs1005.exe
C:\Downloads\DivXPro511Adware.exe/stream
C:\Downloads\DivXPro511Adware.exe
C:\Sierra\Counter-Strike\hltv.exe

Empty recycle bin. Can you run another online scan (I would like to see results of BitDefender.)

- Rawe :tazz:
  • 0

#28
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
I haven't heard from you for a while.. Do you still need help with the problem?
  • 0

#29
gatsu

gatsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
yes im sorry...was out of town.

Here is BitDefender results:

BitDefender Online Scanner







Scan report generated at: Tue, Aug 23, 2005 - 17:44:01









Scan path: A:\;C:\;D:\;E:\;















Statistics

Time


00:22:51

Files


97445

Folders


3181

Boot Sectors


2

Archives


1192

Packed Files


11281







Results

Identified Viruses


3

Infected Files


4

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


4







Engines Info

Virus Definitions


202273

Engine build


AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins


13

Archive plugins


39

Unpack plugins


4

E-mail plugins


6

System plugins


1


Scanned File


Status

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008


Detected with: Adware.Wheaterbug.A

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008


Disinfection failed

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008


Deleted

C:\Program Files\AIM\Sysfiles\WxBug.EXE


Update failed

C:\System Volume Information\_restore{67D938BF-620C-4204-A734-85C657487FBC}\RP6\A0000481.dll


Detected with: Adware.Wheaterbug.A

C:\System Volume Information\_restore{67D938BF-620C-4204-A734-85C657487FBC}\RP6\A0000481.dll


Disinfection failed

C:\System Volume Information\_restore{67D938BF-620C-4204-A734-85C657487FBC}\RP6\A0000481.dll


Deleted

C:\System Volume Information\_restore{67D938BF-620C-4204-A734-85C657487FBC}\RP6\A0000482.exe


Infected with: Backdoor.IzRam.1.7

C:\System Volume Information\_restore{67D938BF-620C-4204-A734-85C657487FBC}\RP6\A0000482.exe


Disinfection failed

C:\System Volume Information\_restore{67D938BF-620C-4204-A734-85C657487FBC}\RP6\A0000482.exe


Deleted

C:\System Volume Information\_restore{67D938BF-620C-4204-A734-85C657487FBC}\RP6\A0000483.dll


Infected with: Trojan.PWS.Bancos.142

C:\System Volume Information\_restore{67D938BF-620C-4204-A734-85C657487FBC}\RP6\A0000483.dll


Disinfection failed

C:\System Volume Information\_restore{67D938BF-620C-4204-A734-85C657487FBC}\RP6\A0000483.dll


Deleted
  • 0

#30
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
First disable system restore..

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".


Run Ewido and save the log.

Reboot.

Enable system restore..

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".


Set up a new restore point.

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Post me the Ewido log with the Kaspersky results..

- Rawe :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP