Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

"only the best" pop ups [CLOSED]


  • This topic is locked This topic is locked

#1
outatime88

outatime88

    Member

  • Member
  • PipPip
  • 39 posts
I keep getting "only the best" pop ups here is my hi jack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:24:38 PM, on 9/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\16.tmp
C:\WINDOWS\system32\winmt.exe
C:\WINDOWS\system32\atlvn32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Class - {B4C96F7A-8DBA-A271-24A8-DCA0E278A9D9} - C:\WINDOWS\d3gq.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [winks.exe] C:\WINDOWS\winks.exe
O4 - HKLM\..\Run: [atlvn32.exe] C:\WINDOWS\system32\atlvn32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124047741656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124047729890
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://www.dww.at/mo...loadcontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, outatime88.

We are sorry to have missed your log due to heavy traffic.

If you still need help, please post back a fresh Hijack This log.

If the problem has been resolved, please let us know.
  • 0

#3
outatime88

outatime88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:32:12 PM, on 9/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\winmt.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\atlvn32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\givnl.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Class - {B4C96F7A-8DBA-A271-24A8-DCA0E278A9D9} - C:\WINDOWS\d3gq.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [atlvn32.exe] C:\WINDOWS\system32\atlvn32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124047741656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124047729890
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://www.dww.at/mo...loadcontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winmt.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, outatime88.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download Cwsserviceremove.reg Here
Download and install CleanUp! Here


Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run the cwsserviceremove.reg that you downloaded earlier.
When windows asks if you want to allow it to merge with the registry, click yes.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#5
outatime88

outatime88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
There was something wrong with about buster. it said bad zip header when i opened it.
  • 0

#6
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, outatime88.

Please use this link to download About:Buster and continue on with the fix.
  • 0

#7
outatime88

outatime88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Now it says that the database is corrupt or missing.
  • 0

#8
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, outatime88.

1. If you have not downloaded Cleanup! already, please do so now. Please double click the cleanup shortcut on your dekstop and let it run until it's finished, if it asks you to log off the computer to finish, please do so.

2. Once you have finished with that please try downloading About:Buster Here Try using the first mirror, and work your way down from there until you get one that isn't corrupt. Then continue on with the fix.

3. Please delete Hijackthis from it's current location.

4. Download and run the following HijackThis autoinstall program from Here. Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident.
  • 0

#9
outatime88

outatime88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
All the about:buster mirrors were corrupt.
  • 0

#10
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, outatime88.

Please download the About:Buster self extracting archive Here and continue with the above fix.
  • 0

#11
outatime88

outatime88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:09:47 AM, on 10/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\d3uy.exe
C:\WINDOWS\mfcld32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\maojj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\maojj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\maojj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\maojj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\maojj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\maojj.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O2 - BHO: Class - {07FCAF49-FD62-5DEF-3389-86CC7653686C} - C:\WINDOWS\system32\sdkyb32.dll
O2 - BHO: Class - {79CAD02C-8BB4-675C-D802-BFB2C2F6800B} - C:\WINDOWS\crvw.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mfcld32.exe] C:\WINDOWS\mfcld32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124047741656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124047729890
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://www.dww.at/mo...loadcontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\d3uy.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe







-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 03, 2005 02:56:26
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/10/2005
Kaspersky Anti-Virus database records: 142942
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 91440
Number of viruses found: 12
Number of infected objects: 118
Number of suspicious objects: 0
Duration of the scan process: 4637 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-3eb4356d-3dd41d2a.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-3eb4356d-3dd41d2a.zip/VB.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-3eb4356d-3dd41d2a.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-3eb4356d-3dd41d2a.zip Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-69a6536b.zip/Counter.class Infected: Trojan.Java.Femad
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-69a6536b.zip/VerifierBug.class Infected: Trojan.Java.Femad
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-69a6536b.zip/web.exe Infected: Trojan-Clicker.Win32.Small.hs
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-69a6536b.zip/Worker.class Infected: Trojan.Java.Femad
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-69a6536b.zip/Xeyond.class Infected: Trojan.Java.Femad
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-69a6536b.zip Infected: Trojan.Java.Femad
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv799.jar-12a80340-18755350.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv799.jar-12a80340-18755350.zip/Counter.class Infected: Trojan.Java.ClassLoader.h
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv799.jar-12a80340-18755350.zip/Parser.class Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv799.jar-12a80340-18755350.zip Infected: Trojan.Java.ClassLoader.d
C:\eied_s7.cab/eied_s7_c_7.exe Infected: Trojan-Downloader.Win32.Mediket.ap
C:\eied_s7.cab Infected: Trojan-Downloader.Win32.Mediket.ap
C:\ied_s7.cab/ied_s7_c_7.exe Infected: Trojan-Downloader.Win32.Agent.ia
C:\ied_s7.cab Infected: Trojan-Downloader.Win32.Agent.ia
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP450\A0075427.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP450\A0075428.prx:evksv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP451\A0075457.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP451\A0075458.prx:evksv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP451\A0075474.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP451\A0075475.prx:evksv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP452\A0075495.prx:evksv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP452\A0075515.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP453\A0075529.prx:evksv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP453\A0075530.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP454\A0075535.prx:evksv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP454\A0075536.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP454\A0075544.prx:evksv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP454\A0075549.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP454\A0075568.prx:evksv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP454\A0075573.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP455\A0075607.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP455\A0075608.prx:evksv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP455\A0075652.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP456\A0075677.prx:xtqxq:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP456\A0075679.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP456\A0075680.prx:iszrjz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP456\A0075798.prx:xtqxq:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP456\A0075804.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP456\A0075805.prx:iszrjz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP456\A0075813.prx:xtqxq:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP456\A0075819.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP456\A0075820.prx:iszrjz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP457\A0075825.prx:xtqxq:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP457\A0075827.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP457\A0075829.prx:iszrjz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP458\A0075837.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP458\A0075838.prx:xtqxq:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP458\A0075844.prx:iszrjz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP459\A0075854.prx:xtqxq:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP459\A0075855.prx:iubqn:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP459\A0075858.INI:hrvhox:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP459\A0075859.prx:iszrjz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075865.prx:xtqxq:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075866.prx:iubqn:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075869.INI:hrvhox:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075870.prx:iszrjz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075883.prx:iszrjz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075884.prx:iubqn:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075894.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075895.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075896.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075897.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075898.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075899.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075930.prx:xtqxq:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP460\A0075931.prx:iubqn:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\abiuninst.htm:fsivjf:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\appog32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\atlbp.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\atlyy.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\bootstat.dat:dzpovp:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\COM+.log:vzaupa:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\crvw.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\d3ir32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\d3ni32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\d3uy.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\iecd32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\iPlayer.INI:hrvhox:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\javaao32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\javacr32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\mfccr.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\mfcgr.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\mfcld32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ntbe32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\pcf.INI:dtvldo:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\php.ini.optimizer-bak:vtorxq:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\q329256.log:xwuxpa:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\SETUPEXE.INI:mqyshv:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\smscfg.ini:frixjg:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\apith.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\appgt32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\crgj32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\croj.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\ietd32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\mfcvw.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\msry.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\netcl.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\netzs32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\ntvs32.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\sdkjv.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\sdkxz.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\sdkyb32.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\winkv.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\WMPrfAra.prx:evksv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\wmprfhun.prx:iszrjz:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\wmprfrus.prx:xtqxq:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\wmprfsve.prx:mgivnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\wmsetup10.log:fgaahn:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\WMSysPr9.prx:iubqn:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:dmjkhe:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:hodzci:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:imsudt:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:vmupbp:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:yprxkl:$DATA Infected: Trojan-Downloader.Win32.Agent.bq

Scan process completed.




AboutBuster 5.0 reference file 28
Scan started on [10/3/2005] at [12:36:50 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\dasetup.log:unwnqt
Removed Stream! C:\WINDOWS\hlfal.log:kvhkkk
Removed Stream! C:\WINDOWS\wmprfhun.prx:qjhgwu
Removed Stream! C:\WINDOWS\WMSysPr9.prx:xoxiwj
Removed Stream! C:\WINDOWS\x71ea201c0.tmp:poqnyu
Removed Stream! C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:cfbybk
Removed Stream! C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:djjcup
Removed Stream! C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:gozsqb
Removed Stream! C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:neiyfy
Removed Stream! C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:nngnor
Removed Stream! C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:ugtdeu
Removed Stream! C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat:wjcppa
------------------------------------------------
Removed File! : C:\Windows\dmjkh.dat
Removed File! : C:\Windows\eqthz.dll
Removed File! : C:\Windows\maojj.dll
Removed File! : C:\Windows\syuvp.dll
Removed File! : C:\Windows\xlpjh.dat
Removed File! : C:\Windows\System32\givnl.dll
Removed File! : C:\Windows\System32\mupbp.dll
Removed File! : C:\Windows\System32\vyvuf.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:37:37 AM


AboutBuster 5.0 reference file 28
Scan started on [10/3/2005] at [12:47:57 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:48:43 AM







(10/3/05 12:56:24 AM) SPSeHjFix started v1.1.2
(10/3/05 12:56:24 AM) OS: WinXP Service Pack 1 (5.1.2600)
(10/3/05 12:56:24 AM) Language: english
(10/3/05 12:56:24 AM) Win-Path: C:\WINDOWS
(10/3/05 12:56:24 AM) System-Path: C:\WINDOWS\System32
(10/3/05 12:56:24 AM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(10/3/05 12:56:30 AM) Disinfection started
(10/3/05 12:56:30 AM) Bad-Dll(IEP): (not found)
(10/3/05 12:56:30 AM) Bad-Dll(IEP) in BHO: (not found)
(10/3/05 12:56:30 AM) UBF: 7 - UBB: 2 - UBR: 5
(10/3/05 12:56:30 AM) UBF: 7 - UBB: 2 - UBR: 5
(10/3/05 12:56:30 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
(10/3/05 12:56:30 AM) Stealth-String not found
(10/3/05 12:56:30 AM) Not infected->END
  • 0

#12
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, outatime88.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Download Pocket Killbox Here.

Save it somewhere you will remember, like your desktop.


Run hijackthis, scan and place a checkmark by the following items:

O2 - BHO: Class - {07FCAF49-FD62-5DEF-3389-86CC7653686C} - C:\WINDOWS\system32\sdkyb32.dll
O2 - BHO: Class - {79CAD02C-8BB4-675C-D802-BFB2C2F6800B} - C:\WINDOWS\crvw.dll
O4 - HKLM\..\Run: [mfcld32.exe] C:\WINDOWS\mfcld32.exe
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\d3uy.exe


4) Run killbox, select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\d3uy.exe
C:\WINDOWS\mfcld32.exe
C:\WINDOWS\system32\sdkyb32.dll
C:\WINDOWS\crvw.dll
C:\WINDOWS\mfcld32.exe


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Please run the cwsserviceremove.reg that you downloaded earlier.
When windows asks if you want to allow it to merge with the registry, click yes.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files. Reboot your computer into normal windows.

Please run an on-line virus scan at Panda Activescan or (if that one still will not work) Housecall (Please post the results of the scan in your next reply)
  • 0

#13
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP