Ok I'm back. This will be a looong post.
Had trouble with the RubberDucky link (says I dont have permission), but I already had About Buster is it the same? I performed all steps assuming that these About Busters were the same.Results:
Safe Mode
AboutBuster 5.0 reference file 31
Scan started on [8/15/2005] at [10:17:17 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\clock.avi:jbywhc
Removed Stream! C:\WINDOWS\desktop.ini:udcodx
Removed Stream! C:\WINDOWS\FaxSetup.log:fefzzk
Removed Stream! C:\WINDOWS\Thumbs.db:encryptable
------------------------------------------------
Removed File! : C:\Windows\gqjpd.dll
Removed File! : C:\Windows\System32\wskwz.dat
Removed File! : C:\Windows\System32\wumfe.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:17:39 AM
Upon reset and rerun it came up "clean".
CWShredder didn't have anything to fix.
Ran SpSeHjfix (several times oops):(8/15/05 10:22:01 AM) SPSeHjFix started v1.1.2
(8/15/05 10:22:01 AM) OS: WinXP Service Pack 1 (5.1.2600)
(8/15/05 10:22:01 AM) Language: english
(8/15/05 10:22:01 AM) Win-Path: C:\WINDOWS
(8/15/05 10:22:01 AM) System-Path: C:\WINDOWS\System32
(8/15/05 10:22:01 AM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(8/15/05 10:22:19 AM) Disinfection started
(8/15/05 10:22:19 AM) Bad-Dll(IEP): c:\windows\system32\xrnjj.dll
(8/15/05 10:22:19 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:19 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:19 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\system32\xrnjj.dll/sp.html#14044
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
(8/15/05 10:22:19 AM) Stealth-String not found
(8/15/05 10:22:19 AM) No locked Files to delete. End without Reboot
(8/15/05 10:22:26 AM) Disinfection started
(8/15/05 10:22:26 AM) Bad-Dll(IEP): c:\windows\gqjpd.dll
(8/15/05 10:22:26 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:26 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:26 AM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\gqjpd.dll/sp.html#14044
(8/15/05 10:22:26 AM) Stealth-String not found
(8/15/05 10:22:26 AM) No locked Files to delete. End without Reboot
(8/15/05 10:22:39 AM) Disinfection started
(8/15/05 10:22:39 AM) Bad-Dll(IEP): c:\windows\gqjpd.dll
(8/15/05 10:22:39 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:39 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:39 AM) Bad IE-pages: (none)
(8/15/05 10:22:39 AM) Stealth-String not found
(8/15/05 10:22:39 AM) No locked Files to delete. End without Reboot
(8/15/05 10:22:58 AM) Disinfection started
(8/15/05 10:22:58 AM) Bad-Dll(IEP): c:\windows\gqjpd.dll
(8/15/05 10:22:58 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:58 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:58 AM) Bad IE-pages: (none)
(8/15/05 10:22:58 AM) Stealth-String not found
(8/15/05 10:22:58 AM) No locked Files to delete. End without Reboot
(8/15/05 10:23:39 AM) Disinfection started
(8/15/05 10:23:39 AM) Bad-Dll(IEP): c:\windows\gqjpd.dll
(8/15/05 10:23:39 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:23:39 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:23:39 AM) Bad IE-pages: (none)
(8/15/05 10:23:39 AM) Stealth-String not found
(8/15/05 10:23:39 AM) No locked Files to delete. End without Reboot
Next ran Cleanup it removed close to 500mb of junk.
Then rebooted in normal mode my backround is back to normal however when I click on internet explorer Spybot warns me that things are changing in registry.
Ran Kaspersky: Found all kinds of bad stuff. There was no "fix" button on Kaspersky so I assume this was just a check.Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Owner\LOCALS~1\Temp\
Scan Statistics:
Total number of scanned objects: 21182
Number of viruses found: 5
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 1150 sec
Infected Object Name - Virus Name
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\albedfik.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\alhellpk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\chnbpdfd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\hppanfcd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\icckfaga.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\jafbpqng.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\jdkjqgef.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lkekdonq.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lmfglgdo.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lncgpjmd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\mkhqqlnk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\ngffkcdm.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\nghdllke.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\njdcbhmk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PerfectNavUninstall.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.f
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PerfectNavUninstall.exe Infected: Trojan-Downloader.Win32.Keenval.f
C:\WINDOWS\system32\config\systemprofile\x.html Infected: Trojan.WinREG.LowZones.a
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab
C:\WINDOWS\system32\oleext.dll Infected: Trojan.Win32.Small.ev
Scan process completed.
can Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 94417
Number of viruses found: 28
Number of infected objects: 108
Number of suspicious objects: 13
Duration of the scan process: 5384 sec
Infected Object Name - Virus Name
C:\Documents and Settings\Default User\x.html Infected: Trojan.WinREG.LowZones.a
C:\Documents and Settings\Owner\Desktop\hijackthis\hijackthis1 Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Owner\x.html Infected: Trojan.WinREG.LowZones.a
C:\ntfirewall.exe Infected: Trojan-Downloader.Win32.Small.mt
C:\Program Files\Kazaa\PerfectNavUninstall.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.f
C:\Program Files\Kazaa\PerfectNavUninstall.exe Infected: Trojan-Downloader.Win32.Keenval.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04CC449E.exe Infected: Backdoor.Win32.SdBot.acf
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A3137F6.REG Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0AE11334.REG Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B12212B.exe/ Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B12212B.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\13A618E7.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\13A618E7.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\13A618E7.exe Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18AF21DC.exe Infected: Trojan-Downloader.Win32.Tibs.h
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C25509A Infected: Email-Worm.Win32.Mimail.r
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\205D6646.exe Infected: Trojan.Win32.StartPage.tj
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27D90953.REG Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2BD137ED.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2CCB2EAE Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\31281132.exe Infected: Trojan-Downloader.Win32.Small.mt
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\32B26872.exe Infected: Trojan.Win32.StartPage.tj
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\36B32CE2.exe Infected: Backdoor.Win32.SdBot.acf
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B204975.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B6D08CD.exe Infected: Trojan-Downloader.Win32.Intexp.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3DDB6274.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\41F87047.reg Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\433C2040.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\454A432B.exe Infected: Trojan-Downloader.Win32.PurityScan.e
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B253224.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B253224.reg Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B253224.sys Infected: Backdoor.Win32.SdBot.zo
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C111770.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C111770.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C111770.exe Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C14416C.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C14416C.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C14416C.exe Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5ED5337B.dll Infected: Virus.Win32.Nsag.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F8E4992.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603B7AD3.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603B7AD3.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603B7AD3.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603B7AD3.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603B7AD3.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\604822C5.cla Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\60554AB7.cla Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\605974B3.cla Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\61181052.dll Infected: Trojan-Downloader.Win32.Agent.mh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C5C3A0C.exe Infected: Trojan-Downloader.Win32.Small.mt
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720935CC.exe Infected: Trojan-Downloader.Win32.PurityScan.e
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720C5FC9.dll Infected: Trojan-Downloader.Win32.IstBar.fa
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720C5FC9.exe/ Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720C5FC9.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\721009C5.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\721333C2.exe Infected: Trojan-Downloader.Win32.Stubby.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\72165DBE.exe Infected: Trojan-Downloader.Win32.Stubby.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\721907BB.exe Infected: Trojan-Downloader.Win32.Stubby.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\721D31B7.dll Infected: Trojan-Downloader.Win32.Dyfuca.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\732E077B.cab/polall1m.exe/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\732E077B.cab/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\732E077B.cab Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\75391783.cab/polall1m.exe/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\75391783.cab/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\75391783.cab Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7F82652C.exe Infected: Trojan-Downloader.Win32.PurityScan.e
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP102\A0019508.dll Infected: Trojan-Downloader.Win32.Agent.mh
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP103\A0019528.DLL Infected: Trojan-Clicker.Win32.Agent.ac
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0026148.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0026173.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0026204.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0027204.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0028229.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP138\A0028281.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP138\A0028300.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP143\A0028418.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0030507.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0030534.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0030534.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0030534.exe Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0031526.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0031570.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0031570.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0031570.exe Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0032526.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0032535.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0032535.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0032535.exe Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP152\A0032593.exe Infected: Backdoor.Win32.SdBot.acf
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP155\A0033599.EXE Infected: Backdoor.Win32.SdBot.acf
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP155\A0033600.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP155\A0033602.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP157\A0033631.exe Infected: Backdoor.Win32.SdBot.acf
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP163\A0034867.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP163\A0034942.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP163\A0034943.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0035919.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0035924.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0035925.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP185\A0039555.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP185\A0039556.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP99\A0018497.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\albedfik.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\alhellpk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\chnbpdfd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\hppanfcd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\icckfaga.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\jafbpqng.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\jdkjqgef.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lkekdonq.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lmfglgdo.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lncgpjmd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\mkhqqlnk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\ngffkcdm.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\nghdllke.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\njdcbhmk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PerfectNavUninstall.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.f
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PerfectNavUninstall.exe Infected: Trojan-Downloader.Win32.Keenval.f
C:\WINDOWS\system32\config\systemprofile\x.html Infected: Trojan.WinREG.LowZones.a
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab
C:\WINDOWS\system32\oleext.dll Infected: Trojan.Win32.Small.ev
Scan process completed.
Here is my new Hijack this:Logfile of HijackThis v1.99.1
Scan saved at 12:38:48 PM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ipst.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\msou.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://qus10.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://srch-qus10.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gqjpd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gqjpd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gqjpd.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.hp.com/go/PhotoWorks-eLifeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Class - {B1C677B3-B411-DB4C-5060-4FBCDCDEE682} - C:\WINDOWS\appmh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ipst.exe] C:\WINDOWS\ipst.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Compaq Connections.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cabO16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gfckujdp.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!
http://bin.wordsx.cc...m::/on-line.exeO16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1123623076171O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cabO16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
http://download.abac...abasetup155.cabO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msou.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
To summarize I think we got part of it until I clicked on internet explorer then it seems to have spawned itself again. MY startpage is still changing although I havent seen any popups. Thanks for your help keep it coming.