Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help don't know whats going on


  • Please log in to reply

#1
Roden

Roden

    New Member

  • Member
  • Pip
  • 1 posts
ogfile of HijackThis v1.99.1
Scan saved at 8:04:35 PM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\addkz.exe
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James Roden\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DB307D03-7868-5DF7-BFB1-F83D4E3BAA3C} - C:\WINDOWS\system32\addkz.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [netak.exe] C:\WINDOWS\system32\netak.exe
O4 - HKLM\..\Run: [mfcjk32.exe] C:\WINDOWS\system32\mfcjk32.exe
O4 - HKLM\..\Run: [addkz.exe] C:\WINDOWS\system32\addkz.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [netcm32.exe] C:\WINDOWS\system32\netcm32.exe
O4 - HKLM\..\RunOnce: [javalv.exe] C:\WINDOWS\system32\javalv.exe
O4 - HKLM\..\RunOnce: [addln.exe] C:\WINDOWS\system32\addln.exe
O4 - HKLM\..\RunOnce: [msxx.exe] C:\WINDOWS\system32\msxx.exe
O4 - HKLM\..\RunOnce: [atlxo32.exe] C:\WINDOWS\atlxo32.exe
O4 - HKLM\..\RunOnce: [winiy.exe] C:\WINDOWS\system32\winiy.exe
O4 - HKLM\..\RunOnce: [sdkmt.exe] C:\WINDOWS\system32\sdkmt.exe
O4 - HKLM\..\RunOnce: [iegv.exe] C:\WINDOWS\iegv.exe
O4 - HKLM\..\RunOnce: [ntxv32.exe] C:\WINDOWS\system32\ntxv32.exe
O4 - HKLM\..\RunOnce: [ipxx.exe] C:\WINDOWS\system32\ipxx.exe
O4 - HKLM\..\RunOnce: [appqw32.exe] C:\WINDOWS\appqw32.exe
O4 - HKLM\..\RunOnce: [atlyc.exe] C:\WINDOWS\atlyc.exe
O4 - HKLM\..\RunOnce: [ieyp32.exe] C:\WINDOWS\ieyp32.exe
O4 - HKLM\..\RunOnce: [ntri.exe] C:\WINDOWS\system32\ntri.exe
O4 - HKLM\..\RunOnce: [d3wk.exe] C:\WINDOWS\d3wk.exe
O4 - HKLM\..\RunOnce: [crfq.exe] C:\WINDOWS\system32\crfq.exe
O4 - HKLM\..\RunOnce: [winja.exe] C:\WINDOWS\system32\winja.exe
O4 - HKLM\..\RunOnce: [atlcz.exe] C:\WINDOWS\system32\atlcz.exe
O4 - HKLM\..\RunOnce: [apiok32.exe] C:\WINDOWS\system32\apiok32.exe
O4 - HKLM\..\RunOnce: [msll.exe] C:\WINDOWS\system32\msll.exe
O4 - HKLM\..\RunOnce: [d3ag32.exe] C:\WINDOWS\d3ag32.exe
O4 - HKLM\..\RunOnce: [sysfi.exe] C:\WINDOWS\sysfi.exe
O4 - HKLM\..\RunOnce: [iedd.exe] C:\WINDOWS\iedd.exe
O4 - HKLM\..\RunOnce: [netvv.exe] C:\WINDOWS\system32\netvv.exe
O4 - HKLM\..\RunOnce: [ntxs32.exe] C:\WINDOWS\ntxs32.exe
O4 - HKLM\..\RunOnce: [crla32.exe] C:\WINDOWS\system32\crla32.exe
O4 - HKLM\..\RunOnce: [addip32.exe] C:\WINDOWS\addip32.exe
O4 - HKLM\..\RunOnce: [apiqg.exe] C:\WINDOWS\apiqg.exe
O4 - HKLM\..\RunOnce: [javauk32.exe] C:\WINDOWS\system32\javauk32.exe
O4 - HKLM\..\RunOnce: [mfczf.exe] C:\WINDOWS\system32\mfczf.exe
O4 - HKLM\..\RunOnce: [msmb32.exe] C:\WINDOWS\system32\msmb32.exe
O4 - HKLM\..\RunOnce: [netxh32.exe] C:\WINDOWS\system32\netxh32.exe
O4 - HKLM\..\RunOnce: [apifb.exe] C:\WINDOWS\system32\apifb.exe
O4 - HKLM\..\RunOnce: [ieay.exe] C:\WINDOWS\ieay.exe
O4 - HKLM\..\RunOnce: [sdkfs32.exe] C:\WINDOWS\sdkfs32.exe
O4 - HKLM\..\RunOnce: [winpu32.exe] C:\WINDOWS\winpu32.exe
O4 - HKLM\..\RunOnce: [syshy.exe] C:\WINDOWS\system32\syshy.exe
O4 - HKLM\..\RunOnce: [winhe.exe] C:\WINDOWS\system32\winhe.exe
O4 - HKLM\..\RunOnce: [appps32.exe] C:\WINDOWS\appps32.exe
O4 - HKLM\..\RunOnce: [netio.exe] C:\WINDOWS\system32\netio.exe
O4 - HKLM\..\RunOnce: [netdy.exe] C:\WINDOWS\system32\netdy.exe
O4 - HKLM\..\RunOnce: [atlif32.exe] C:\WINDOWS\atlif32.exe
O4 - HKLM\..\RunOnce: [crlp.exe] C:\WINDOWS\system32\crlp.exe
O4 - HKLM\..\RunOnce: [crfg.exe] C:\WINDOWS\crfg.exe
O4 - HKLM\..\RunOnce: [netyx32.exe] C:\WINDOWS\system32\netyx32.exe
O4 - HKLM\..\RunOnce: [systw32.exe] C:\WINDOWS\system32\systw32.exe
O4 - HKLM\..\RunOnce: [sdknn.exe] C:\WINDOWS\system32\sdknn.exe
O4 - HKLM\..\RunOnce: [netzv.exe] C:\WINDOWS\netzv.exe
O4 - HKLM\..\RunOnce: [crkt32.exe] C:\WINDOWS\system32\crkt32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MI1933~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {52AE6DBB-36CA-487B-9F10-C01C367A36AC} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Compaq\Netscape Custom NA XP\PLUGINS\npdsplay.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Program Files\PH Train & Assess IT\plugin\cab\awswaxf.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...aploader_v7.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netcm32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Also here is a system virus scan from an on line site. Here is the log from that.

KASPERSKY ON-LINE SCANNER REPORT
Tuesday, August 30, 2005 19:57:11
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 31/08/2005
Kaspersky Anti-Virus database records: 137657
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\JAMESR~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 23872
Number of viruses found: 1
Number of infected objects: 40
Number of suspicious objects: 0
Duration of the scan process: 2102 sec

Infected Object Name - Virus Name
C:\WINDOWS\.viassary-compaq.bak:eaeidn:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\apini.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\apphg32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\appju32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\atlue32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\crib.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\d3aq32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\d3qp.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\GRADESPEEDHELP.HLP:hvcxdz:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\IconList.txt:uyoifp:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\iehp32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\ipjg.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\KB839645.log:dwunen:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\KB887472.log:mdannj:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\mfctm32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\mssh.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netcq.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\ntcs32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\ntps32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\ntrl32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\addkc32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\apifb.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\apifs32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\atlqp32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\d3ow.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\javalv.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\javauk32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\msmb32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\msxx.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\neteq32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\netxh32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\sdkyc32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\winpk32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\sysvj.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default.pif:acgnzo:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default.pif:btvxik:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default.pif:footun:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default.pif:wtwbwz:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default.pif:xghzox:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default.pif:yvpxvd:$DATA Infected: Trojan.Win32.Agent.bi

Scan process completed.
  • 0

Advertisements


#2
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Welcome to the Geeks To Go forum.:tazz:


Step 1

Download CWShredder from here.
Open CWShredder and click on 'Check for Updates'.
Download any new reference file and then close the program.

Download and install About Buster 5.0 following the instructions here.
Update the program with the latest definitions and install the extra protection:
-- Install Firefox for surfing so that Internet Explorer can be kept closed until you're clean.
-- Install Spywareblaster to prevent future stealth installations of malware.
Do NOT scan with About Buster yet.

Download, install and setup Ewido Security Suite by following the instructions here.
Once updated, close the program without scanning.

Download Cleanup! from here.

Download CWSServicemove.zip from here and unzip it to your desktop. Don't do anything with it yet.

Ensure you're familiar with rebooting into Safe Mode.

Copy the below steps to notepad and save them to your desktop. Close Internet Explorer and disconnect from the internet.



Step 2

Run HJT again and checkmark the boxes next to the following:-


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xxznh.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
03 - Default URLSearchHook is missing
O2 - BHO: Class - {DB307D03-7868-5DF7-BFB1-F83D4E3BAA3C} - C:\WINDOWS\system32\addkz.dll
O4 - HKLM\..\Run: [netak.exe] C:\WINDOWS\system32\netak.exe
O4 - HKLM\..\Run: [mfcjk32.exe] C:\WINDOWS\system32\mfcjk32.exe
O4 - HKLM\..\Run: [addkz.exe] C:\WINDOWS\system32\addkz.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [netcm32.exe] C:\WINDOWS\system32\netcm32.exe
O4 - HKLM\..\RunOnce: [javalv.exe] C:\WINDOWS\system32\javalv.exe
O4 - HKLM\..\RunOnce: [addln.exe] C:\WINDOWS\system32\addln.exe
O4 - HKLM\..\RunOnce: [msxx.exe] C:\WINDOWS\system32\msxx.exe
O4 - HKLM\..\RunOnce: [atlxo32.exe] C:\WINDOWS\atlxo32.exe
O4 - HKLM\..\RunOnce: [winiy.exe] C:\WINDOWS\system32\winiy.exe
O4 - HKLM\..\RunOnce: [sdkmt.exe] C:\WINDOWS\system32\sdkmt.exe
O4 - HKLM\..\RunOnce: [iegv.exe] C:\WINDOWS\iegv.exe
O4 - HKLM\..\RunOnce: [ntxv32.exe] C:\WINDOWS\system32\ntxv32.exe
O4 - HKLM\..\RunOnce: [ipxx.exe] C:\WINDOWS\system32\ipxx.exe
O4 - HKLM\..\RunOnce: [appqw32.exe] C:\WINDOWS\appqw32.exe
O4 - HKLM\..\RunOnce: [atlyc.exe] C:\WINDOWS\atlyc.exe
O4 - HKLM\..\RunOnce: [ieyp32.exe] C:\WINDOWS\ieyp32.exe
O4 - HKLM\..\RunOnce: [ntri.exe] C:\WINDOWS\system32\ntri.exe
O4 - HKLM\..\RunOnce: [d3wk.exe] C:\WINDOWS\d3wk.exe
O4 - HKLM\..\RunOnce: [crfq.exe] C:\WINDOWS\system32\crfq.exe
O4 - HKLM\..\RunOnce: [winja.exe] C:\WINDOWS\system32\winja.exe
O4 - HKLM\..\RunOnce: [atlcz.exe] C:\WINDOWS\system32\atlcz.exe
O4 - HKLM\..\RunOnce: [apiok32.exe] C:\WINDOWS\system32\apiok32.exe
O4 - HKLM\..\RunOnce: [msll.exe] C:\WINDOWS\system32\msll.exe
O4 - HKLM\..\RunOnce: [d3ag32.exe] C:\WINDOWS\d3ag32.exe
O4 - HKLM\..\RunOnce: [sysfi.exe] C:\WINDOWS\sysfi.exe
O4 - HKLM\..\RunOnce: [iedd.exe] C:\WINDOWS\iedd.exe
O4 - HKLM\..\RunOnce: [netvv.exe] C:\WINDOWS\system32\netvv.exe
O4 - HKLM\..\RunOnce: [ntxs32.exe] C:\WINDOWS\ntxs32.exe
O4 - HKLM\..\RunOnce: [crla32.exe] C:\WINDOWS\system32\crla32.exe
O4 - HKLM\..\RunOnce: [addip32.exe] C:\WINDOWS\addip32.exe
O4 - HKLM\..\RunOnce: [apiqg.exe] C:\WINDOWS\apiqg.exe
O4 - HKLM\..\RunOnce: [javauk32.exe] C:\WINDOWS\system32\javauk32.exe
O4 - HKLM\..\RunOnce: [mfczf.exe] C:\WINDOWS\system32\mfczf.exe
O4 - HKLM\..\RunOnce: [msmb32.exe] C:\WINDOWS\system32\msmb32.exe
O4 - HKLM\..\RunOnce: [netxh32.exe] C:\WINDOWS\system32\netxh32.exe
O4 - HKLM\..\RunOnce: [apifb.exe] C:\WINDOWS\system32\apifb.exe
O4 - HKLM\..\RunOnce: [ieay.exe] C:\WINDOWS\ieay.exe
O4 - HKLM\..\RunOnce: [sdkfs32.exe] C:\WINDOWS\sdkfs32.exe
O4 - HKLM\..\RunOnce: [winpu32.exe] C:\WINDOWS\winpu32.exe
O4 - HKLM\..\RunOnce: [syshy.exe] C:\WINDOWS\system32\syshy.exe
O4 - HKLM\..\RunOnce: [winhe.exe] C:\WINDOWS\system32\winhe.exe
O4 - HKLM\..\RunOnce: [appps32.exe] C:\WINDOWS\appps32.exe
O4 - HKLM\..\RunOnce: [netio.exe] C:\WINDOWS\system32\netio.exe
O4 - HKLM\..\RunOnce: [netdy.exe] C:\WINDOWS\system32\netdy.exe
O4 - HKLM\..\RunOnce: [atlif32.exe] C:\WINDOWS\atlif32.exe
O4 - HKLM\..\RunOnce: [crlp.exe] C:\WINDOWS\system32\crlp.exe
O4 - HKLM\..\RunOnce: [crfg.exe] C:\WINDOWS\crfg.exe
O4 - HKLM\..\RunOnce: [netyx32.exe] C:\WINDOWS\system32\netyx32.exe
O4 - HKLM\..\RunOnce: [systw32.exe] C:\WINDOWS\system32\systw32.exe
O4 - HKLM\..\RunOnce: [sdknn.exe] C:\WINDOWS\system32\sdknn.exe
O4 - HKLM\..\RunOnce: [netzv.exe] C:\WINDOWS\netzv.exe
O4 - HKLM\..\RunOnce: [crkt32.exe] C:\WINDOWS\system32\crkt32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netcm32.exe" /s (file missing)



Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked



Step 3

Reboot into Safe Mode.

Open CWShredder, click Fix and let it remove anything it finds.

Step 4

Start About Buster
With ALL windows closed - VERY important!
Click on 'Begin Removal' to start the scan.
When the scan has finished let it scan again.
A log of the scan will appear in the folder.
Exit About Buster.

Start CleanUp! and do the following:

Click the Options button.
Make sure only the following are checked:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (XP only)
  • Scan local drives for temporary files
  • Cleanup! All Users
Click the Ok button to close the Options dialog.
Click the CleanUp! button to begin cleaning. It may take a while depending on the size of the hard drive so be patient.
When it has finished, close CleanUp! but decline to logoff when prompted.


Step 5

Now open Ewido Security Suite:

Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.


Step 6

Now double-click on the CWSServicemove.reg
Confirm you wish to add the contents to the registry when prompted and then reboot back to normal mode.


Step 7

Run an online virus scan at Trend Micro (Europe).

Reboot again when finished and post the following in THIS thread.

1. New HijackThis log
2. About Buster scan log
3. Ewido scan log
4. Feedback on Trend Micro scan
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP