Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan problems [CLOSED]


  • This topic is locked This topic is locked

#1
sixzero

sixzero

    New Member

  • Member
  • Pip
  • 4 posts
hi all,

a while back, everytime I booted up my computer an mIRC chat client box would open up but I never installed mIRC on this computer and when I would go into Add/Remove Programs, it wouldn't let me uninstall it, rather a blank window would pop up saying "Retry" or "Cancel.

I ran a symantec anti-virus scan and it found files such as:
rfc.exe, vrc.exe, msn16.exe, msn16.ocx, payload.dat, msmonk32.exe, you[1].js

Symantec would say:
action taken: backup
action description: this file was left unchanged

I ran an Ad-Aware scan and no threats came up.

I thought my brother fixed it when the mIRC box would stop opening on startup and the symantec scans would come up empty. My computer is running slow once again and it looks like I have it back on my system.

The HJT log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:14:30 PM, on 11/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\Documents and Settings\Ashrafi1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/i...arch/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [MSN] msn16.exe
O4 - HKLM\..\Run: [Microsoft Windows GUI] msmonk32.exe
O4 - HKLM\..\Run: [Rcf Driver] rfc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=111505 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [WinReg] c:\windows\system\svchost.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\RunServices: [MSN] msn16.exe
O4 - HKLM\..\RunServices: [Microsoft Windows GUI] msmonk32.exe
O4 - HKLM\..\RunServices: [Rcf Driver] rfc.exe
O4 - HKCU\..\Run: [MSN] msn16.exe
O4 - HKCU\..\Run: [Rcf Driver] rfc.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


I notice that msn16.exe, msmonk32.exe, and rfc.exe are still on my system.

Thank you in advance for helping me with my problem.
  • 0

Advertisements


#2
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, sixzero.

You have quite a few viruses/trojans on there.

Please print out these instructions or save them in notepad.
(Start > Programs > Accessories > Notepad)

Please open Hijackthis, scan, and place a checkmark by the following files:

O4 - HKLM\..\Run: [MSN] msn16.exe
O4 - HKLM\..\Run: [Microsoft Windows GUI] msmonk32.exe
O4 - HKLM\..\Run: [Rcf Driver] rfc.exe
O4 - HKLM\..\Run: [WinReg] c:\windows\system\svchost.exe
O4 - HKLM\..\RunServices: [MSN] msn16.exe
O4 - HKLM\..\RunServices: [Microsoft Windows GUI] msmonk32.exe
O4 - HKLM\..\RunServices: [Rcf Driver] rfc.exe
O4 - HKCU\..\Run: [MSN] msn16.exe
O4 - HKCU\..\Run: [Rcf Driver] rfc.exe
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)

Close ALL open windows/browsers and click Fix Checked.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Also, please run the Trend-Micro Housecall Scan
  • Please go HERE to run Housecall.
  • Note: you must use Internet Explorer, other browsers will not work.
  • Under "Scan your PC", please click Scan now. It's free!
  • Select your location and click the Go button.
  • Click the red magnifying glass button.
  • Select Complete Scan.
  • Please be patient while Housecall downloads.
  • Please allow the ActiveX Control and when prompted click install
  • Put a check next to My Computer
  • Leave the following checked:
    • Scan for Spyware
      Check security vulnerabilities
  • Click the Next button.
  • It will download the latest scan engine and pattern files.
  • When the definitions have been downloaded, the scan will start.
  • After it's done scanning it will take you to the summary page.
  • Click the Next button.
  • Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK.
  • Click the Next button to move onto the recovery (final) portion of the scan.
  • After everything has been removed, please click the show button on everything.
  • Highlight all the of text and press CTRL + C to copy the text.
  • Please post the contents into your next reply.
So in all, I need a new Hijackthis log, the log from HouseCall, and the log from [b]Kaspersky
.
  • 0

#3
sixzero

sixzero

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you OwNt for all your help!

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:52:32 AM, on 11/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Ashrafi1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/i...arch/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=111505 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Here is my Kapersky scan logfile: (Am I correct in assuming I have to manually delete the virus files?)

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, November 06, 2005 02:20:53
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/11/2005
Kaspersky Anti-Virus database records: 158439
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
X:\

Scan Statistics:
Total number of scanned objects: 128235
Number of viruses found: 27
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 6366 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03A40000.VBN Infected: Trojan.JS.NoClose
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03A40001.VBN Infected: Trojan.JS.NoClose
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E00000.VBN Infected: Trojan.Win32.Qhost
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E00001.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E00002.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240000.VBN Infected: Backdoor.Win32.SdBot.abr
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240001.VBN Infected: Backdoor.Win32.SdBot.abr
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240002.VBN Infected: Backdoor.Win32.SdBot.abr
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240003.VBN Infected: Backdoor.Win32.SdBot.abr
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240004.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240005.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240006.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240007.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240008.VBN Infected: Backdoor.Win32.Agobot.lo
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240009.VBN Infected: Trojan-Proxy.Win32.SpamPimp.d
C:\Documents and Settings\Ashrafi1\Local Settings\Temporary Internet Files\Content.IE5\8RVFIOPH\free_access[1].cab/YSBactivex.dll Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Documents and Settings\Ashrafi1\Local Settings\Temporary Internet Files\Content.IE5\8RVFIOPH\free_access[1].cab Infected: Trojan-Downloader.Win32.IstBar.gen
C:\frank.exe/mirc.ini Infected: Backdoor.IRC.Zapchast
C:\frank.exe/rundll32.exe Infected: not-a-virus:RiskTool.Win32.HideWindows
C:\frank.exe/svchost.exe Infected: Backdoor.Win32.mIRC-based
C:\frank.exe Infected: Backdoor.Win32.mIRC-based
C:\windows\system\rundll32.exe Infected: not-a-virus:RiskTool.Win32.HideWindows
E:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp Infected: Backdoor.Win32.Agent.co
E:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g
E:\WIN2K\Downloaded Program Files\fswinst.ocx Infected: not-a-virus:AdWare.Win32.FreeScratch.a
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06700000.VBN Infected: Net-Worm.Win32.Welchia.b
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06700001.VBN Infected: Email-Worm.Win32.Mimail.r
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Rem2C3.exe Infected: not-a-virus:[bleep]-Dialer.Win32.Generic
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\toolbar.dll Infected: not-a-virus:AdWare.Win32.WebSearch.t
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\xam2C4.exe Infected: not-a-virus:[bleep]-Dialer.Win32.Generic
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\bar.exe/data0001 Infected: not-a-virus:AdWare.Win32.IeSearchBar
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\bar.exe Infected: not-a-virus:AdWare.Win32.IeSearchBar
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\tb_setup.exe Infected: not-a-virus:AdWare.Win32.WebSearch.ba
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\msbb.exe Infected: not-a-virus:AdWare.Win32.180Solutions
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\FLEOK\msbb.exe Infected: not-a-virus:AdWare.Win32.180Solutions
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\ss_cdt_setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.Sidesearch.e
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\ss_cdt_setup.exe Infected: not-a-virus:AdWare.Win32.Sidesearch.e
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\soeqyt.exe Infected: Backdoor.Win32.Agent.cg
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\8TQJC96Z\CA8DEVCH.htm Infected: Trojan-Downloader.JS.FlingStone
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\RAOZ3T8L\kzpop[1].htm Infected: Trojan.JS.NoClose.i
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\XJ7B11G6\hidden[1].htm Infected: Trojan.JS.NoClose.j
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\8ZXFI67H\software[1].cab/soeqyt.exe Infected: Backdoor.Win32.Agent.cg
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\8ZXFI67H\software[1].cab Infected: Backdoor.Win32.Agent.cg
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temporary Internet Files\Content.IE5\RRPJNL4K\home[8].aspx Infected: Trojan.JS.Cardst
E:\Documents and Settings\Old PC\My Documents\Music\kmd171gu_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor
E:\Documents and Settings\Old PC\My Documents\Music\kmd171gu_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor
E:\Documents and Settings\Old PC\My Documents\Music\kmd171gu_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor
E:\Documents and Settings\Old PC\My Documents\Music\kmd171gu_en.exe Infected: not-a-virus:AdWare.Win32.Cydoor

Scan process completed.


Here is my Housecall Scan log:

Virus Scan 0 virus cleaned, 2 viruses deleted


Results:
We have detected 2 infected file(s) with 2 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 2 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
E:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp BKDR_BDI.A Deletion successful
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\RAOZ3T8L\kzpop[1].htm JS_NOCLOSE.E Deletion successful




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 10 spyware programs removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 10 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 0 spyware(s) passed, 0 spyware(s) no action available
- 10 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_45 Cookie Removal successful
COOKIE_281 Cookie Removal successful
COOKIE_442 Cookie Removal successful
COOKIE_722 Cookie Removal successful
COOKIE_1020 Cookie Removal successful
COOKIE_1433 Cookie Removal successful
COOKIE_1523 Cookie Removal successful
COOKIE_2631 Cookie Removal successful
COOKIE_3081 Cookie Removal successful
COOKIE_3235 Cookie Removal successful




Microsoft Vulnerability Check No vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix




Thanks for all your help.
  • 0

#4
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, sixzero.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03A40000.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03A40001.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E00000.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E00001.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E00002.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240000.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240001.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240002.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240003.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240004.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240005.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240006.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240007.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240008.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240009.VBN
C:\Documents and Settings\Ashrafi1\Local Settings\Temporary Internet Files\Content.IE5
C:\frank.exe/mirc.ini
C:\frank.exe/rundll32.exe
C:\frank.exe/svchost.exe
C:\frank.exe
C:\windows\system\rundll32.exe
E:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp
E:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp
E:\WIN2K\Downloaded Program Files\fswinst.ocx
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06700000.VBN
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06700001.VBN
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Rem2C3.exe
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\toolbar.dll
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\xam2C4.exe
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\bar.exe
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\bar.exe
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\tb_setup.exe
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\msbb.exe
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\FLEOK\msbb.exe
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\ss_cdt_setup.exe
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\ss_cdt_setup.exe
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\soeqyt.exe
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temporary Internet Files\Content.IE5
E:\Documents and Settings\Old PC\My Documents\Music\kmd171gu_en.exe/data0004/cd_clint.dll


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

How is your computer running?
  • 0

#5
sixzero

sixzero

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
hello OwNt,

my compuer is running much faster! thanks for all your help.
  • 0

#6
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, sixzero.

Your log is clean! :tazz:

Here are some tips to help keep your computer secure.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

  • 0

#7
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP