Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Gotta be a Trojan or something nasty


  • Please log in to reply

#1
TTerry

TTerry

    New Member

  • Member
  • Pip
  • 6 posts
Hi all,

Something Terryible has Happened .... That is what popped up on my screen about 3:00 AM one morning about 3 months ago. I thought, the pop uppers have really gotten clever. But my cursor wouldn't move so I simply rebooted. When the computer came back to life, my font size had changed (larger), my browser is king sized and my computer has slowed down to a crawl. Also, I keep getting pop ups when I surf the internet. One wants to take me to winfixer.com, another wants to take me a gambling site and another says some program just sent info over the internet. I think it wants to take me to winfixer also. My pop up blockers can't stop them.

Also, my log in screen changed. I had 3 people able to log in, my wife, my daughter and me, now I have only 2 just my wife and me. I checked my hard drive and my daughter's info is there, but it doesn't come up on the screen. When I'm in Admin mode, it still only gives me 2 and won't let me add her again. I think this is similar to the dreaded blue screen but I'm still able to use my computer.

Also, my webcam and scanner both lost their drivers.

I've read many posts here and you guys seem to have a handle on most any problem. But I haven't seen one like mine. I constantly run AVG Anti-Virus and update definitions and scan daily. I auto load Trend Micro Anti-Spyware at boot and update that daily also. Just before posting this, I ran AVG, AdAware, VX2, Trend Micro Anti-Spyware and had a 3rd party scan by Trend Micro. But none seem able to find the culprit that created this mess. And the culprit is still here because my symptons haven't changed. Can you help..?

Here's my HJT Log and Thanks in Advance:

Logfile of HijackThis v1.99.1
Scan saved at 3:41:19 PM, on 11/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Documents and Settings\Dad\Desktop\Desktop\Virus & Malware Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mpgprofits.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mchenrycountybowling.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\ddaya.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ConferenceRoom Java Client - http://irc.sexyads.n...080/java/cr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125790244844
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...r/goldfever.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - Winlogon Notify: ddaya - C:\WINDOWS\System32\ddaya.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

I also ran Ewido. Here is the results of that 76 minute scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:23:00 PM, 11/26/2005
+ Report-Checksum: FA2EC239

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\.Owner -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/olepro32.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKU\S-1-5-21-1177238915-436374069-854245398-1003\Software\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1177238915-436374069-854245398-1003_Classes\CLSID\\ -> Spyware.AproposMedia : Error during cleaning
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\QNY2CAO2\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc11.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc114.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc117.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc17.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc19.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc21.txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc22.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc29.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc3.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc31.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc32.txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc35.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc45.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc47.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc53.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc56.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc58.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc62.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc63.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc66.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc69.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc70.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc71.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc72.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-436374069-854245398-1005\Dc81.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\system32\70tovmto.ini -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\ddaya.dll -> Spyware.Virtumonde : Cleaned with backup
D:\Maxtor Backup 011505\Program Files\HumanClick\cd_install_114.exe/cd_swf.dll -> Spyware.Cydoor : Error during cleaning
:mozilla.9:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.13:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.14:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.15:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.18:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.32:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.X10 : Cleaned with backup
:mozilla.33:D:\Maxtor Backup 011505\WINDOWS\Profiles\Terry Shafer\Application Data\Phoenix\Profiles\default\58nikj4c.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup


::Report End

I sure hope you can help. If not, I forsee a reformat coming.

Thanks Again

TTerry

Edited by TTerry, 26 November 2005 - 05:25 PM.

  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
TTerry

TTerry

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Sam,

No need for an apology. With the thousands of us who ask all of you for help, I'm actually surprised you responded as quickly as you did.

My problem still prevails. Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:16:31 PM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\Desktop\Virus & Malware Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mpgprofits.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mchenrycountybowling.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\ddaya.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ConferenceRoom Java Client - http://irc.sexyads.n...080/java/cr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125790244844
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...r/goldfever.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - Winlogon Notify: ddaya - C:\WINDOWS\System32\ddaya.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Any help you can offer is greatly appreciated.

Thanks

TTerry
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's see what we can turn up. :tazz:

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\ddaya.dll (file missing)
O20 - Winlogon Notify: ddaya - C:\WINDOWS\System32\ddaya.dll (file missing)



Now I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.


Please run Panda Online Virus Scan
  • You must allow the active-x control to run when asked.
  • You may need to disable your antivirus program while this scan runs.
  • There may be files that this scan will not remove.
  • Please include that information in your next post.
  • Make sure to reenable your antivirus program if you disabled it.
Reboot and post a new hijackthis log, the uninstall list, and the info from your virus scan.
  • 0

#5
TTerry

TTerry

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Sam,

Thanks for your help.

I fixed the items you suggested in HJT. I also ran the uninstall list you requested and did the Panda Online Virus Scan. I stopped that scan after 3 hours. It found 39 viruses, most of which were on my D drive.

Here's my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:12:47 PM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Instant Buzz\IBDaemon.exe
C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\Desktop\Virus & Malware Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mpgprofits.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mchenrycountybowling.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll (file missing)
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ConferenceRoom Java Client - http://irc.sexyads.n...080/java/cr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125790244844
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...r/goldfever.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Here's my Uninstall List:

Ad-Aware SE Personal
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
AVG Free Edition
Belarc Advisor 6.1
BroadJump Client Foundation
Canon Creative Components
Canon Creative Pro
CleanUp!
CloneCD
CoffeeCup Firestarter
CuteFTP 6 Professional
CutePDF Writer 2.3
Diner Dash (remove only)
ewido security suite
Family Feud (remove only)
FileSpecs plug-in for Ad-Aware SE
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Instant Buzz (remove only)
Lavasoft VX2 Cleaner
Lexmark Supplies Monitor
Lexmark Z45
Lotus SmartSuite 97
LSP Explorer plug-in for Ad-Aware SE
Macromedia Shockwave Player
Magic Ball 2 New Worlds
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Office Converter Pack
Microsoft Office Sounds
Microsoft Outlook Personal Folders Backup
Microsoft Streets and Trips 2001
MSN Gaming Zone
MSN Messenger 7.0
MSN Music Assistant
NoteTab Light (Remove only)
Paltalk Messenger
PC PowerScan
PhotoParade Player
Plaxo
QuickBooks Basic 2002
QuickTime
Registry Mechanic 5.0
SBC Self Support Tool
SBC Yahoo! Applications
Skype 1.4
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
TradeWinds 2 (remove only)
Trend Micro Anti-Spyware
Update for Windows XP (KB898461)
Visual IP InSight(SBC)
Vstascan
Win Risk Free
Windows 2000 and XP Canon Printer Drivers 1.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB887822
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP2) Q817606
XoftSpy
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Toolbar

(The Yahoo Toolbar is going to be removed pronto.)

Here's my Panda Virus Scan Report:


Incident Status Location

Adware:adware/powerscan Not disinfected C:\WINDOWS\SYSTEM32\intrigue.dll
Adware:adware/adsmart Not disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/ilookup Not disinfected C:\Documents and Settings\Dad\Favorites\Gambling
Adware:adware/mediatickets Not disinfected Windows Registry
Virus:W32/Netsky.P.worm Not disinfected C:\Bowling\MCBA Website\mail\mchenrycountybowling.com\catchallbox\inbox[details.txt .pif]
Virus:W32/Netsky.P.worm Not disinfected C:\Bowling\MCBA Website\mail\mchenrycountybowling.com\catchallbox\inbox[document.txt .exe]
Virus:W32/Netsky.P.worm Not disinfected C:\Encore Coffee\IntlCoffee Backup\backup-intlcoffee.com-7-24-2005.tar.gz[details.txt .pif]
Virus:W32/Sober.G.worm Not disinfected C:\Encore Coffee\IntlCoffee Backup\backup-intlcoffee.com-7-24-2005.tar.gz[p-zipped_file_data .pif]
Virus:mIRC/Gen Not disinfected C:\INTERNET\Mirc541\inibackup\POPUPS.INI
Virus:Bck/mIRCBased.AC Not disinfected C:\INTERNET\Mirc541\mirc32.exe
Virus:W32/Sober.G.worm Not disinfected C:\intlcoffee\Website\mail\sbc\inbox[p-zipped_file_data .pif]
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\d?dplay.exe
Adware:Adware/WebHancer Not disinfected D:\WD31300 Backup 011505\WINDOWS\whAgent.inf
Adware:Adware/eZula Not disinfected D:\WD31300 Backup 011505\WINDOWS\SYSTEM\stub.exe
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\Tasks\rwin98-l.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\Tasks\rwin98-l.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\Offline Web Pages\green%20flash%20doll.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\Offline Web Pages\green%20flash%20doll.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\Downloaded Program Files\me.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\Downloaded Program Files\me.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\Downloaded Program Files\CONFLICT.2\shorty.nws
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\Downloaded Program Files\CONFLICT.2\shorty.nws[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\Downloaded Program Files\CONFLICT.1\kutecuple.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\Downloaded Program Files\CONFLICT.1\kutecuple.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\smokey light.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\smokey light.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\mammals.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\mammals.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist012000052820000529\sungalssesinhairgirl.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist012000052820000529\sungalssesinhairgirl.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist012000060420000605\tiny5.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist012000060420000605\tiny5.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist011999112019991121\chanukah_feature2.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist011999112019991121\chanukah_feature2.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist011999112119991122\chic4.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist011999112119991122\chic4.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist011999101419991015\dontmess.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist011999101419991015\dontmess.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist011999090419990905\diagonal sand.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\History.IE5\MSHist011999090419990905\diagonal sand.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\MSHist011999033119990401\mygurls.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\MSHist011999033119990401\mygurls.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\MSHist011999033019990331\mammals.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\ERD\DriveC\WINDOWS\HISTORY\MSHist011999033019990331\mammals.eml[~0000002.~]
Virus:Bck/mIRCBased.AC Not disinfected D:\Maxtor Backup 011505\INTERNET\Mirc541\mirc32.exe
Virus:mIRC/Gen Not disinfected D:\Maxtor Backup 011505\INTERNET\Mirc541\inibackup\POPUPS.INI
Adware:Adware/Adblaster Not disinfected D:\Maxtor Backup 011505\Program Files\AdBlaster\adblaster.exe
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\WINDOWS\Tasks\68.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\WINDOWS\Tasks\68.eml[~0000002.~]
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\WINDOWS\Offline Web Pages\starbackround.eml
Virus:Exploit/iFrame Not disinfected D:\Maxtor Backup 011505\WINDOWS\Offline Web Pages\starbackround.eml[~0000002.~]
Virus:mIRC/Gen Not disinfected D:\Maxtor Backup 011505\WINDOWS\Desktop\Desk Top\Old Internet Hard Drive\Mirc541\inibackup\POPUPS.INI


Please note. By the time you read this, I will have already deleted every file that Panda found. Because Panda is so thorough, I'll run it again in the AM hours and let it finish it's course. All of the above will be gone but it may find new ones. If it does, rest assured I'll delete those files also.

Once again Sam, thanks for your help. You seem to really know what's happening and how to battle these viruses.

TTerry

Edited by TTerry, 30 November 2005 - 08:26 PM.

  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please click Start -> Control Panel -> Add/Remove Programs and uninstall these programs:

Instant Buzz (remove only)
Paltalk Messenger
PC PowerScan



Fix these lines with Hijackthis.

O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll (file missing)
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe


Delete this folder, if present.

C:\Program Files\Instant Buzz


Reboot and post a new hijackthis log.
Let me know how thing are working for you now. Any improvement?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP