Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help Dropped Internet Connections


  • This topic is locked This topic is locked

#1
jckazz

jckazz

    Member

  • Member
  • PipPip
  • 16 posts
I try to keep all of my antivirus and antimalware software up to date. I have been getting dropped internet connections regularly. Some antivirus software has detected a Dropper.Small or a Dropper.Agent. I don't know if it's related, but it will not remove. Please help me, I do a lot of my work through telnet and I lose my connections at least once in 10 minutes. It makes it difficult to work. I have attached an HJT log from the most recent version of HJT.

Thank you in Advance,
Marc


=============================================
Logfile of HijackThis v1.99.1
Scan saved at 3:21:03 PM, on 9/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Commander Pro\UPServ.exe
C:\Program Files\Commander Pro\UPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com"); (C:\Documents and Settings\marc\Application Data\Mozilla\Profiles\default\vir632vz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\marc\Application Data\Mozilla\Profiles\default\vir632vz.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://wow.bezeq.co....te/iftwclix.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: UPSmart - Unknown owner - C:\Program Files\Commander Pro\UPServ.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - c:\MEDIAE~1.0\x10nets.exe (file missing)
  • 0

Advertisements


#2
joshuacat

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
Welcome, Marc. I don't see a lot going on in this log, but let's clean out what I do see....

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1. Before starting any cleaning steps, please disable the Microsoft Anti-Spyware real-time protection:
  • Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
  • Click on "Security Agents Status".
  • Click on "Disable real-time protection".
Next, open Microsoft Anti-Spyware.
  • Click on the Options menu, then Settings.
  • Select "Real Time Protection" from the left column.
  • Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
  • Click the Save button.
Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.


2. Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab


Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.


3. Please download/install/configure/update with Spybot Search & Destroy and AdAware.

Follow all the instructions in the following tutorials(Hold off on doing the full scans. We will do these in safe mode.):

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


4. Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you are having problems, additional instructions on how to do this can be found here: How to start Windows in Safe mode.


5. Perform a full system scan in Ad-aware and Spybot.

Restart your computer.


6. Please do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.
Please reply to this post with a new HiJackThis log and the scan log from the Panda Active Scan.


Thanks,

JC :tazz:
  • 0

#3
jckazz

jckazz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi,

Thank you for your help. I am responding with the Panda and HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 12:57:46 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Commander Pro\UPServ.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Commander Pro\UPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\hjt\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com"); (C:\Documents and Settings\marc\Application Data\Mozilla\Profiles\default\vir632vz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\marc\Application Data\Mozilla\Profiles\default\vir632vz.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://wow.bezeq.co....te/iftwclix.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: UPSmart - Unknown owner - C:\Program Files\Commander Pro\UPServ.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - c:\MEDIAE~1.0\x10nets.exe (file missing)









=================================================







Incident Status Location

Virus:W32/Netsky.AE.worm Disinfected C:\Documents and Settings\marc\Application Data\Thunderbird\Profiles\jifmej0y.default\Mail\Local Folders\Inbox[msg.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\marc\Application Data\Thunderbird\Profiles\jifmej0y.default\Mail\Local Folders\Inbox[~0004059.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\marc\Application Data\Thunderbird\Profiles\jifmej0y.default\Mail\Local Folders\inbox4[datfiles.zip][document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\marc\Application Data\Thunderbird\Profiles\jifmej0y.default\Mail\Local Folders\junk[readme.zip][data.rtf .scr]
Virus:W32/Bagle.CC.worm Disinfected C:\Documents and Settings\marc\Application Data\Thunderbird\Profiles\jifmej0y.default\Mail\Local Folders\junk[Price_43254.zip][Result.exe]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\marc\Application Data\Thunderbird\Profiles\jifmej0y.default\Mail\Local Folders\junk[your_document_marc.zip][data.rtf .scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\marc\Application Data\Thunderbird2\Profiles\jifmej0y.default\Mail\Local Folders\Inbox[your_document_marc.zip][data.rtf .scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\marc\Application Data\Thunderbird2\Profiles\jifmej0y.default\Mail\Local Folders\junk[readme.zip][data.rtf .scr]
Virus:W32/Bagle.CC.worm Disinfected C:\Documents and Settings\marc\Application Data\Thunderbird2\Profiles\jifmej0y.default\Mail\Local Folders\junk[Price_43254.zip][Result.exe]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\marc\Application Data\Thunderbird2\Profiles\jifmej0y.default\Mail\Local Folders\junk[your_document_marc.zip][data.rtf .scr]
Dialer:Dialer.DW No disinfected C:\Documents and Settings\marc\My Documents\ringtonesvs.exe
Spyware:Spyware/BargainBuddy No disinfected C:\downloads\dvdxcopy_crack\dvdxcopyxpress321_GjEmBsVxRjAbEuIw\install_cheat_001.exe
Virus:W32/Netsky.P.worm Disinfected C:\downloads\foxmail\Re_ Submit a Virus Sample.RB0[datfiles.zip][document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected C:\Program Files\Foxmail\mail\marc\in.BOX[datfiles.zip][document.txt .exe]
Virus:W32/Netsky.AE.worm Disinfected C:\Program Files\Foxmail\mail\mfischma\in.BOX[~0000739.~][my_numbers.pif]
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B4286304-63FF-4816-A638-957D0B\1980BEF1-4C98-4F59-BEC2-AA23AD
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B4286304-63FF-4816-A638-957D0B\22C95F05-338C-4CFB-84B1-7C18C6
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\d?dplay.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\??chost.exe
  • 0

#4
joshuacat

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
Great job. The scan removed some items... We still have some clean up to do...

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\d?dplay.exe /a h > files.txt
dir C:\WINDOWS\system32\??chost.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.

Thanks,

JC
  • 0

#5
jckazz

jckazz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I can't thank you enough.


=============================================

Volume in drive C has no label.
Volume Serial Number is 2452-7E5A

Directory of C:\WINDOWS\system32

08/04/2004 09:56 AM 14,336 svchost.exe
10/19/2004 04:53 PM 380,928 ??chost.exe
2 File(s) 395,264 bytes

Directory of C:\Documents and Settings\marc\Desktop
  • 0

#6
jckazz

jckazz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:21:22 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Commander Pro\UPServ.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Commander Pro\UPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com"); (C:\Documents and Settings\marc\Application Data\Mozilla\Profiles\default\vir632vz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\marc\Application Data\Mozilla\Profiles\default\vir632vz.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://wow.bezeq.co....te/iftwclix.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: UPSmart - Unknown owner - C:\Program Files\Commander Pro\UPServ.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - c:\MEDIAE~1.0\x10nets.exe (file missing)
  • 0

#7
joshuacat

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
That's one of the files...we need to get information about the other one. Once I have that, we will move on and get rid of all the traces of spyware/viruses on your computer.
Your last log showed you had a couple of viruses...at least hiding on your computer. Is it working better now?

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\d?dplay.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here.

Thanks,

JC
  • 0

#8
jckazz

jckazz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I am still noticing some disconnects, but they are much less frequent. These are the results of that batch script.


==============================================


Volume in drive C has no label.
Volume Serial Number is 2452-7E5A

Directory of C:\WINDOWS\system32

08/23/2001 02:00 PM 55,296 dvdplay.exe
10/14/2004 05:41 PM 380,928 d?dplay.exe
2 File(s) 436,224 bytes

Directory of C:\Documents and Settings\marc\Desktop
  • 0

#9
joshuacat

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
Great, jckazz. Got it. I still see that you are around...I will get back to you later with the rest of your fix. I am at work right now, but I will have the rest of your fix later...If you like, you can use the Track This Topic button so you can get notification that I replied. It is on the top right hand side of your first post.

See you later...

JC

:tazz:
  • 0

#10
joshuacat

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
Okay, let's clean up some of the items we uncovered during the scans. We will do a couple of more scans to see what else might be hiding...

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1. Before starting any cleaning steps, please disable the Microsoft Anti-Spyware real-time protection:
  • Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
  • Click on "Security Agents Status".
  • Click on "Disable real-time protection".
Next, open Microsoft Anti-Spyware.
  • Click on the Options menu, then Settings.
  • Select "Real Time Protection" from the left column.
  • Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
  • Click the Save button.
Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.


2. Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you are having problems, additional instructions on how to do this can be found here: How to start Windows in Safe mode.


3. Please enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and close My Computer.
  • Now your computer is configured to show all hidden files.
4. Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\downloads\dvdxcopy_crack\ <===entire folder

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf<===file.

C:\Documents and Settings\marc\My Documents\ringtonesvs.exe<===file.

C:\WINDOWS\system32\d?dplay.exe <===file.!Please be careful! There is also a file called dvdplay.exe -THIS IS A VALID FILE. The one you should delete is the other! If you look at the details, the date of the file to delete is 10/19/2004, the file size 380,928 bytes!

C:\WINDOWS\system32\??chost.exe <===file. !Please be careful! There is also a file called svchost.exe -THIS IS A VALID FILE. The one you should delete is the other! If you look at the details, the date of the file to delete is 10/19/2004, the file size 380,928 bytes!


Let me know if you had any problems with the deletions.

Restart your computer.



5. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please reply to this post with the following:

a. A new HiJackThis log
b. The log from the Kaspersky Online Scanner
c. Any symptoms that are remaining...


Good-luck,

JC
  • 0

Advertisements


#11
jckazz

jckazz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi JC,

Sorry it took so long to respond. I removed those files.

This one did not exist ...
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf

d?dplay.exe and ??chost.exe were actually called dvdplay and svchost, but they were different than the windows files.

I tried running the kapersky scanner, but my keyboard tray fell on my PC and it rebooted when it was almost finished. :tazz: That has never happened before, and of course it happens 3 hours into the scan. Anyway, it is running again, and I'll post the results when it is done.

Thanks again for all your help.
Marc
  • 0

#12
joshuacat

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts

I tried running the kapersky scanner, but my keyboard tray fell on my PC and it rebooted when it was almost finished. frusty.gif That has never happened before, and of course it happens 3 hours into the scan. Anyway, it is running again, and I'll post the results when it is done.


That's frustrating.... :tazz: What a pain.... Some of these scans can take quite a while...

d?dplay.exe and ??chost.exe were actually called dvdplay and svchost, but they were different than the windows files.


How did you know that? Did you compare file sizes?

Did you follow the steps to unhide files and try to remove them in safe mode?
Just checking.... :)

Okay post again after the scan.

Good-luck. :)
  • 0

#13
jckazz

jckazz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Yes I compared dates and filesizes. The other files were in the directory also, which leads me to believe there was some other character set that had a v and s in it. The characters just looked like a v and an s, but they may have been a spanish character or from another language set. Also, the files did not show up in the correct location when the listing was alphabetical.

And yes, I removed them in safemode.

The scan is still going (at 50%), so I'll let you know when it's done.

Thanks
  • 0

#14
jckazz

jckazz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Here are the scan results ...



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, September 23, 2005 10:13:34
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 22/09/2005
Kaspersky Anti-Virus database records: 150636
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 153760
Number of viruses found: 15
Number of infected objects: 51
Number of suspicious objects: 0
Duration of the scan process: 11127 sec

Infected Object Name - Virus Name
C:\backup\nokia 7250i, 7210, 6100, 6610, 7250, 5100, s40s apps , pics , games , ringtones by ksk-85\7250i\games\Apps e games\Apps\ActiveViewer\vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\backup\nokia 7250i, 7210, 6100, 6610, 7250, 5100, s40s apps , pics , games , ringtones by ksk-85\7250i\games\Apps e games\Apps\ActiveViewer\vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\backup\nokia 7250i, 7210, 6100, 6610, 7250, 5100, s40s apps , pics , games , ringtones by ksk-85\7250i\games\Apps e games\Apps\ActiveViewer\vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\backup\nokia 7250i, 7210, 6100, 6610, 7250, 5100, s40s apps , pics , games , ringtones by ksk-85\7250i\games\Apps e games\Apps\ActiveViewer\vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\backup\nokia 7250i, 7210, 6100, 6610, 7250, 5100, s40s apps , pics , games , ringtones by ksk-85\7250i\games\Apps e games\Apps\ActiveViewer\vnc-3.3.7-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\backup\Nokia 7250i, 7210, 6100, 6610, 7250, 5100, S40s apps , pics , games , ringtones by KSK-85.rar/7250i/games/Apps e games/Apps/ActiveViewer/vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\backup\Nokia 7250i, 7210, 6100, 6610, 7250, 5100, S40s apps , pics , games , ringtones by KSK-85.rar/7250i/games/Apps e games/Apps/ActiveViewer/vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\backup\Nokia 7250i, 7210, 6100, 6610, 7250, 5100, S40s apps , pics , games , ringtones by KSK-85.rar/7250i/games/Apps e games/Apps/ActiveViewer/vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\backup\Nokia 7250i, 7210, 6100, 6610, 7250, 5100, S40s apps , pics , games , ringtones by KSK-85.rar/7250i/games/Apps e games/Apps/ActiveViewer/vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\backup\Nokia 7250i, 7210, 6100, 6610, 7250, 5100, S40s apps , pics , games , ringtones by KSK-85.rar/7250i/games/Apps e games/Apps/ActiveViewer/vnc-3.3.7-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\backup\Nokia 7250i, 7210, 6100, 6610, 7250, 5100, S40s apps , pics , games , ringtones by KSK-85.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
C:\Documents and Settings\srulik\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-34e2b6fd-6c76c2cc.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.e
C:\Documents and Settings\srulik\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-34e2b6fd-6c76c2cc.zip Infected: Trojan-Downloader.Java.OpenConnection.e
C:\Documents and Settings\srulik\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6ccc0c4-709e78c0.zip/binny/binny.class Infected: Trojan-Dropper.Java.Beyond.d
C:\Documents and Settings\srulik\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6ccc0c4-709e78c0.zip Infected: Trojan-Dropper.Java.Beyond.d
C:\Documents and Settings\srulik\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-797cd619-4a8819aa.zip/Beyond.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\srulik\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-797cd619-4a8819aa.zip Infected: Exploit.Java.Bytverify
C:\downloads\dvdplayer\aiodvdplayer.exe/data0012 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k
C:\downloads\dvdplayer\aiodvdplayer.exe Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k
C:\downloads\emule\overnet0.50.1.exe/data0004/fatovernet.exe Infected: not-a-virus:Server-Proxy.Win32.Overnet
C:\downloads\emule\overnet0.50.1.exe/data0004 Infected: not-a-virus:Server-Proxy.Win32.Overnet
C:\downloads\emule\overnet0.50.1.exe Infected: not-a-virus:Server-Proxy.Win32.Overnet
C:\downloads\visual_studio\vs6.exe/vs6.chm/vc/sdk_SdkTools.exe/sdk_SdkTools/spy/dll/hook.dll Infected: not-a-virus:Monitor.Win32.KeyLogger.30
C:\downloads\visual_studio\vs6.exe/vs6.chm/vc/sdk_SdkTools.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.30
C:\downloads\visual_studio\vs6.exe/vs6.chm/vc/sdk_SdkTools_spy.exe/sdk_SdkTools_spy/sdk_SdkTools_spy_dll/hook.dll Infected: not-a-virus:Monitor.Win32.KeyLogger.30
C:\downloads\visual_studio\vs6.exe/vs6.chm/vc/sdk_SdkTools_spy.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.30
C:\downloads\visual_studio\vs6.exe/vs6.chm/vc/sdk_SdkTools_spy_dll.exe/sdk_SdkTools_spy_dll/hook.dll Infected: not-a-virus:Monitor.Win32.KeyLogger.30
C:\downloads\visual_studio\vs6.exe/vs6.chm/vc/sdk_SdkTools_spy_dll.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.30
C:\downloads\visual_studio\vs6.exe/vs6.chm Infected: not-a-virus:Monitor.Win32.KeyLogger.30
C:\downloads\visual_studio\vs6.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.30
C:\Program Files\Foxmail\mail\mfischma\in.BOX/[From from quoted-printable to 8bit by server1.watchparadise.com id LAA07140][Date Tue, 8 Jul 2003 08:27:00 -0700]/text/[From Microsoft Corporation Internet Security Center][Date Date header was inserted by SMTP.Prodigy.Net.mx]/UNNAMED Infected: Email-Worm.Win32.Swen
C:\Program Files\Foxmail\mail\mfischma\in.BOX/[From from quoted-printable to 8bit by server1.watchparadise.com id LAA07140][Date Tue, 8 Jul 2003 08:27:00 -0700]/text/[From Microsoft Inet Mail Storage Service <emailengine@rocketmail.com>][Date Date header was inserted by SMTP.Prodigy.Net.mx]/UNNAMED/UNNAMED Infected: Email-Worm.Win32.Swen
C:\Program Files\Foxmail\mail\mfischma\in.BOX/[From from quoted-printable to 8bit by server1.watchparadise.com id LAA07140][Date Tue, 8 Jul 2003 08:27:00 -0700]/text/[From Microsoft Inet Mail Storage Service <emailengine@rocketmail.com>][Date Date header was inserted by SMTP.Prodigy.Net.mx]/UNNAMED Infected: Email-Worm.Win32.Swen
C:\Program Files\Foxmail\mail\mfischma\in.BOX/[From from quoted-printable to 8bit by server1.watchparadise.com id LAA07140][Date Tue, 8 Jul 2003 08:27:00 -0700]/text Infected: Email-Worm.Win32.Swen
C:\Program Files\Foxmail\mail\mfischma\in.BOX Infected: Email-Worm.Win32.Swen
C:\Program Files\Microsoft AntiSpyware\Quarantine\B4286304-63FF-4816-A638-957D0B\1980BEF1-4C98-4F59-BEC2-AA23AD Infected: Trojan-Downloader.Win32.Small.asf
C:\Program Files\Microsoft AntiSpyware\Quarantine\B4286304-63FF-4816-A638-957D0B\22C95F05-338C-4CFB-84B1-7C18C6 Infected: not-a-virus:AdWare.180Solutions.g
C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll Infected: not-a-virus:AdWare.Comet.c
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc1\dvdxcopyplatinumv321_TcIwLeOrQrLkExHv.zip/install_cheat_001.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ki
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc1\dvdxcopyplatinumv321_TcIwLeOrQrLkExHv.zip/install_cheat_001.exe Infected: Trojan-Downloader.Win32.IstBar.ki
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc1\dvdxcopyplatinumv321_TcIwLeOrQrLkExHv.zip Infected: Trojan-Downloader.Win32.IstBar.ki
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc1\dvdxcopyxpress321_GjEmBsVxRjAbEuIw\install_cheat_001.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ki
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc1\dvdxcopyxpress321_GjEmBsVxRjAbEuIw\install_cheat_001.exe Infected: Trojan-Downloader.Win32.IstBar.ki
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc1\dvdxcopyxpress321_GjEmBsVxRjAbEuIw.zip/install_cheat_001.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ki
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc1\dvdxcopyxpress321_GjEmBsVxRjAbEuIw.zip/install_cheat_001.exe Infected: Trojan-Downloader.Win32.IstBar.ki
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc1\dvdxcopyxpress321_GjEmBsVxRjAbEuIw.zip Infected: Trojan-Downloader.Win32.IstBar.ki
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc2.exe Infected: not-a-virus:[bleep]-Dialer.Win32.Generic
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc3.exe Infected: not-a-virus:AdWare.PurityScan.aa
C:\RECYCLER\S-1-5-21-220523388-1284227242-839522115-500\Dc4.exe Infected: not-a-virus:AdWare.PurityScan.aa
C:\WINDOWS\ibi-xs.exe Infected: not-a-virus:[bleep]-Dialer.Win32.Generic
C:\WINDOWS\system32\iegfxfrw.dll Infected: Trojan.Win32.StartPage.iv

Scan process completed.
  • 0

#15
jckazz

jckazz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
and the HJT log ...


Logfile of HijackThis v1.99.1
Scan saved at 10:16:06 AM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Commander Pro\UPServ.exe
C:\Program Files\Commander Pro\UPS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\hjt\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com"); (C:\Documents and Settings\marc\Application Data\Mozilla\Profiles\default\vir632vz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\marc\Application Data\Mozilla\Profiles\default\vir632vz.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://wow.bezeq.co....te/iftwclix.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: UPSmart - Unknown owner - C:\Program Files\Commander Pro\UPServ.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - c:\MEDIAE~1.0\x10nets.exe (file missing)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP