Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

what's wrong with my compy?!


  • Please log in to reply
15 replies to this topic

#1 perplexed22

perplexed22

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 29 May 2005 - 04:23 PM

Hey there!

Well i don't know if there is anything that is officially wrong with my computer, maybe it was just too tired last night. But I would type in an address and it would either close right when it loaded or sometimes when I just clicked enter or go.. so I was wondering if there's something wrong with that.

Also, I have been getting this stupid message from I think my Sygate Firewall so many times.

An application named NDIS User mode I/O Driver (file name ndisula.sys) has been blocked from accessing the network.

So I was wondering about that.

Oh and I ran Norton AniVirus and it found some infected file I think and this official microsoft computer window came up and said that some files have been replaced by unrecognizable files.

Thanks for any help.


Logfile of HijackThis v1.99.1
Scan saved at 4:27:21 PM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\temp\salm.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom Hangge\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
R3 - Default URLSearchHook is missing
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [huf] C:\WINDOWS\huf.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy 2\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Edited by perplexed22, 29 May 2005 - 04:29 PM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 May 2005 - 07:55 AM

Hi perplexed22 and Welcome to the Bleeping Computer!

Please temporily disable TeaTimer in Spybot S&D as it may prevent part of this fix:
Open Spybot and click on Mode, check Advanced Mode:
Check yes to next window.
Click on Tools in bottom left hand corner:
Click on Resident. Uncheck Resident "TeaTimer" box.
Close Spybot

Please Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net/en/download/updates/

Please Download ANTIDOTE for PC AntiVirus SuperLite
http://www.vintage-solutions.com/English/Antivirus/Super/

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Please go to Add\Remove Programs and Remove

MediaAccess
WildTangent CDA
180Solutions\nCase
Active Alert
Internet Optimizer
AWS\WeatherBug


Please Scan the PC with Ewido and Save the log it produces!

Locate and Delete these files or folders

C:\WINDOWS\nem220.dll<< File Only!

C:\WINDOWS\huf.exe<< File Only!

C:\WINDOWS\System32\msmsgs.exe<< File Only and in the location only!

C:\WINDOWS\System32\ap9h4qmo.exe<< File Only!

C:\Program Files\Media Access<< Folder!

C:\Program Files\WildTangent<< Folder!

C:\Program Files\AWS<< Folder!

Go to C:\temp<< Open that folder and delete all contents inside!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/

R3 - Default URLSearchHook is missing

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [huf] C:\WINDOWS\huf.exe

O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and Scan the PC with ANTIDOTE for PC AntiVirus SuperLite

Post the results of that Scan along with a fresh HijackThis log!

#3 perplexed22

perplexed22
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  

Posted 30 May 2005 - 07:57 PM

WOW! That took a long time to do. Is that typical? It must have taken almost 4 hours to scan both things and everthing.

Here are the results from the Antidote but I took out the names for privacy.

=== ANTIDOTE for PC Viruses Super Lite Log File ===


Virus Check at : Mon May 30 19:39:28 2005
Target Path for Virus Check : C:\

<<< Virus Check Statistics >>>

1 System Memory = OK
2 Boot Sector = OK
3 Master Boot Records = OK
4 C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dot = Archive : Embedded
5 C:\Documents and Settings\Administrator\Templates\winword.doc = Archive : Embedded
6 C:\Documents and Settings\A\Application Data\Microsoft\Templates\Normal.dot = Archive : Embedded
7 C:\Documents and Settings\A\My Documents\Unbelievably Different.doc = Archive : Embedded
8 C:\Documents and Settings\A\Templates\winword.doc = Archive : Embedded
9 C:\Documents and Settings\Default User\Templates\winword.doc = Archive : Embedded
10 C:\Documents and Settings\M\Templates\winword.doc = Archive : Embedded
11 C:\Documents and Settings\N\Templates\winword.doc = Archive : Embedded
12 C:\Documents and Settings\P\Application Data\Microsoft\Templates\Normal.dot = Archive : Embedded
13 C:\Documents and Settings\P\Local Settings\Temp\~916893.tmp = Infected : Trojan-Downloader.Win32.Wintool.a
14 C:\Documents and Settings\P\Local Settings\Temp\~966082.tmp = Infected : Trojan-Downloader.Win32.Wintool.a
15 C:\Documents and Settings\P\Templates\winword.doc = Archive : Embedded
16 C:\Documents and Settings\T\Application Data\Microsoft\Templates\Normal.dot = Archive : Embedded
17 C:\Documents and Settings\T\Local Settings\Temp\~WRC1353.tmp = Archive : Embedded
18 C:\Documents and Settings\T\Local Settings\Temp\~WRC2454.tmp = Archive : Embedded
19 C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\3YWCYURN\a070ae76[1].js = Infected : Trojan-Downloader.JS.WinAD.g
20 C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\3YWCYURN\ysb_prompt[1].htm = Infected : Trojan-Downloader.JS.IstBar.j
21 C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\45U78LYZ\stats9[1].htm = Infected : Exploit.HTML.Mht
22 C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\GP2J6ZKD\Biol1126%20syllabus[1].doc = Archive : Embedded
23 C:\Documents and Settings\T\My Documents\1984 vs fahrenheit 451.doc = Archive : Embedded
24 C:\Documents and Settings\T\My Documents\20 century.doc = Archive : Embedded
25 C:\Documents and Settings\T\My Documents\20th century books.doc = Archive : Embedded
26 C:\Documents and Settings\T\My Documents\20th century.doc = Archive : Embedded
27 C:\Documents and Settings\T\My Documents\7th grade play green filled ticket.doc = Archive : Embedded
28 C:\Documents and Settings\T\My Documents\7th grade play mult. green tickets.doc = Archive : Embedded
29 C:\Documents and Settings\T\My Documents\7th grade play mult. orange tickets.doc = Archive : Embedded
30 C:\Documents and Settings\T\My Documents\7th grade play orange filled ticket.doc = Archive : Embedded
31 C:\Documents and Settings\T\My Documents\7th grade play seat numbers.doc = Archive : Embedded
32 C:\Documents and Settings\T\My Documents\7th grade play ticket.doc = Archive : Embedded
33 C:\Documents and Settings\T\My Documents\a Bibliography.doc = Archive : Embedded
34 C:\Documents and Settings\T\My Documents\a Mitochondria.doc = Archive : Embedded
35 C:\Documents and Settings\T\My Documents\a new random fact.doc = Archive : Embedded
36 C:\Documents and Settings\T\My Documents\a Rough Endoplasmic Reticulum.doc = Archive : Embedded
37 C:\Documents and Settings\T\My Documents\a Smooth Endoplasmic Reticulum.doc = Archive : Embedded
38 C:\Documents and Settings\T\My Documents\aCentrioles.doc = Archive : Embedded
39 C:\Documents and Settings\T\My Documents\acomputer.doc = Archive : Embedded
40 C:\Documents and Settings\T\My Documents\aCytosol.doc = Archive : Embedded
41 C:\Documents and Settings\T\My Documents\advertising.doc = Archive : Embedded
42 C:\Documents and Settings\T\My Documents\aGolgi Bodies.doc = Archive : Embedded
43 C:\Documents and Settings\T\My Documents\Albino Rat Project conclusion 4-11-05.doc = Archive : Embedded
44 C:\Documents and Settings\T\My Documents\Albino Rat Project Video Questions 3-13-05.doc = Archive : Embedded
45 C:\Documents and Settings\T\My Documents\aLysosomes.doc = Archive : Embedded
46 C:\Documents and Settings\T\My Documents\Am Form.doc = Archive : Embedded
47 C:\Documents and Settings\T\My Documents\aMicrotubules.doc = Archive : Embedded
48 C:\Documents and Settings\T\My Documents\an explication.doc = Archive : Embedded
49 C:\Documents and Settings\T\My Documents\A Nutrition March 23rd.doc = Archive : Embedded
50 C:\Documents and Settings\T\My Documents\A's Christmas List 04.doc = Archive : Embedded
51 C:\Documents and Settings\T\My Documents\A's Haikus.doc = Archive : Embedded
52 C:\Documents and Settings\T\My Documents\A's Literature Story 3-13-05.doc = Archive : Embedded
53 C:\Documents and Settings\T\My Documents\A's Panama facts and recipe.doc = Archive : Embedded
54 C:\Documents and Settings\T\My Documents\A's Poems and Table of Contents.doc = Archive : Embedded
55 C:\Documents and Settings\T\My Documents\a's science definitions.doc = Archive : Embedded
56 C:\Documents and Settings\T\My Documents\A's Think and Write Questions pg E15.doc = Archive : Embedded
57 C:\Documents and Settings\T\My Documents\A's Wolf Ridge paper 2004.doc = Archive : Embedded
58 C:\Documents and Settings\T\My Documents\aNucleolus.doc = Archive : Embedded
59 C:\Documents and Settings\T\My Documents\aNucleus.doc = Archive : Embedded
60 C:\Documents and Settings\T\My Documents\aPlasma Membrane.doc = Archive : Embedded
61 C:\Documents and Settings\T\My Documents\aPlease Disregard.doc = Archive : Embedded
62 C:\Documents and Settings\T\My Documents\aRibosomes.doc = Archive : Embedded
63 C:\Documents and Settings\T\My Documents\art picture.doc = Archive : Embedded
64 C:\Documents and Settings\T\My Documents\art pictures.doc = Archive : Embedded
65 C:\Documents and Settings\T\My Documents\aTheme Explanations.doc = Archive : Embedded
66 C:\Documents and Settings\T\My Documents\baby chick intro.doc = Archive : Embedded
67 C:\Documents and Settings\T\My Documents\barf.doc = Archive : Embedded
68 C:\Documents and Settings\T\My Documents\bio analysis.doc = Archive : Embedded
69 C:\Documents and Settings\T\My Documents\bio characteristics.doc = Archive : Embedded
70 C:\Documents and Settings\T\My Documents\bio chart angela style.doc = Archive : Embedded
71 C:\Documents and Settings\T\My Documents\bio chart patrick way.doc = Archive : Embedded
72 C:\Documents and Settings\T\My Documents\bio chart word.doc = Archive : Embedded
73 C:\Documents and Settings\T\My Documents\bio charts.ppt = Archive : Embedded
74 C:\Documents and Settings\T\My Documents\Bio Conclusion.doc = Archive : Embedded
75 C:\Documents and Settings\T\My Documents\bio decription and causes.doc = Archive : Embedded
76 C:\Documents and Settings\T\My Documents\bio dna key.doc = Archive : Embedded
77 C:\Documents and Settings\T\My Documents\bio end. species.doc = Archive : Embedded
78 C:\Documents and Settings\T\My Documents\bio examing cells purpose.doc = Archive : Embedded
79 C:\Documents and Settings\T\My Documents\bio genetics worksheets.doc = Archive : Embedded
80 C:\Documents and Settings\T\My Documents\bio headings.doc = Archive : Embedded
81 C:\Documents and Settings\T\My Documents\bio male female Meiosis.doc = Archive : Embedded
82 C:\Documents and Settings\T\My Documents\bio microscope Conclusion.doc = Archive : Embedded
83 C:\Documents and Settings\T\My Documents\bio microscope purpose.doc = Archive : Embedded
84 C:\Documents and Settings\T\My Documents\bio microscope title page.doc = Archive : Embedded
85 C:\Documents and Settings\T\My Documents\bio Microtubules.doc = Archive : Embedded
86 C:\Documents and Settings\T\My Documents\bio mitosis meiosis.doc = Archive : Embedded
87 C:\Documents and Settings\T\My Documents\Bio Multiple Choice Tests.doc = Archive : Embedded
88 C:\Documents and Settings\T\My Documents\bio nitrogen cycle.doc = Archive : Embedded
89 C:\Documents and Settings\T\My Documents\bio no phone call letter.doc = Archive : Embedded
90 C:\Documents and Settings\T\My Documents\bio other notes.doc = Archive : Embedded
91 C:\Documents and Settings\T\My Documents\bio pedigree.doc = Archive : Embedded
92 C:\Documents and Settings\T\My Documents\bio phone call letter.doc = Archive : Embedded
93 C:\Documents and Settings\T\My Documents\bio pictures.doc = Archive : Embedded
94 C:\Documents and Settings\T\My Documents\bio pig bibliography.doc = Archive : Embedded
95 C:\Documents and Settings\T\My Documents\bio pig Part 1 Chart M.doc = Archive : Embedded
96 C:\Documents and Settings\T\My Documents\bio pig part 2.doc = Archive : Embedded
97 C:\Documents and Settings\T\My Documents\bio pig part 4 chart k.doc = Archive : Embedded
98 C:\Documents and Settings\T\My Documents\bio pig part one.doc = Archive : Embedded
99 C:\Documents and Settings\T\My Documents\bio pig purpose.doc = Archive : Embedded
100 C:\Documents and Settings\T\My Documents\bio pig title page.doc = Archive : Embedded
101 C:\Documents and Settings\T\My Documents\bio pig.doc = Archive : Embedded
102 C:\Documents and Settings\T\My Documents\bio study guide 2.doc = Archive : Embedded
103 C:\Documents and Settings\T\My Documents\bio study guide blank.doc = Archive : Embedded
104 C:\Documents and Settings\T\My Documents\bio study guide final 1.doc = Archive : Embedded
105 C:\Documents and Settings\T\My Documents\Bio Study Guide.doc = Archive : Embedded
106 C:\Documents and Settings\T\My Documents\bio title page.doc = Archive : Embedded
107 C:\Documents and Settings\T\My Documents\bio titlle.doc = Archive : Embedded
108 C:\Documents and Settings\T\My Documents\bio ways to help.doc = Archive : Embedded
109 C:\Documents and Settings\T\My Documents\bio What Can I Do to Help.doc = Archive : Embedded
110 C:\Documents and Settings\T\My Documents\bio.doc = Archive : Embedded
111 C:\Documents and Settings\T\My Documents\blundies.doc = Archive : Embedded
112 C:\Documents and Settings\T\My Documents\calendar.doc = Archive : Embedded
113 C:\Documents and Settings\T\My Documents\Cell Division.doc = Archive : Embedded
114 C:\Documents and Settings\T\My Documents\Ch 10.doc = Archive : Embedded
115 C:\Documents and Settings\T\My Documents\Ch 12.doc = Archive : Embedded
116 C:\Documents and Settings\T\My Documents\ch 3.doc = Archive : Embedded
117 C:\Documents and Settings\T\My Documents\Ch 5.doc = Archive : Embedded
118 C:\Documents and Settings\T\My Documents\ch 6.doc = Archive : Embedded
119 C:\Documents and Settings\T\My Documents\ch 7.doc = Archive : Embedded
120 C:\Documents and Settings\T\My Documents\Ch 8.doc = Archive : Embedded
121 C:\Documents and Settings\T\My Documents\Chapter 5.doc = Archive : Embedded
122 C:\Documents and Settings\T\My Documents\Chapter 9.doc = Archive : Embedded
123 C:\Documents and Settings\T\My Documents\chimp project.doc = Archive : Embedded
124 C:\Documents and Settings\T\My Documents\Choice Poems 1 and 2 Anna.doc = Archive : Embedded
125 C:\Documents and Settings\T\My Documents\Château of Cheverny.ppt = Archive : Embedded
126 C:\Documents and Settings\T\My Documents\college essay.doc = Archive : Embedded
127 C:\Documents and Settings\T\My Documents\college resume.doc = Archive : Embedded
128 C:\Documents and Settings\T\My Documents\Couplet, Quatrain, Cinquain, Free Verse.doc = Archive : Embedded
129 C:\Documents and Settings\T\My Documents\development paper.doc = Archive : Embedded
130 C:\Documents and Settings\T\My Documents\diego pictures.doc = Archive : Embedded
131 C:\Documents and Settings\T\My Documents\Diego Rivera.doc = Archive : Embedded
132 C:\Documents and Settings\T\My Documents\diego speach.doc = Archive : Embedded
133 C:\Documents and Settings\T\My Documents\Doc1.doc = Archive : Embedded
134 C:\Documents and Settings\T\My Documents\Doc2.doc = Archive : Embedded
135 C:\Documents and Settings\T\My Documents\Doc3.doc = Archive : Embedded
136 C:\Documents and Settings\T\My Documents\duke scholarship application.doc = Archive : Embedded
137 C:\Documents and Settings\T\My Documents\english antonia paper.doc = Archive : Embedded
138 C:\Documents and Settings\T\My Documents\english book questions.doc = Archive : Embedded
139 C:\Documents and Settings\T\My Documents\English Hercules Power Point.ppt = Archive : Embedded
140 C:\Documents and Settings\T\My Documents\english islands.doc = Archive : Embedded
141 C:\Documents and Settings\T\My Documents\english mice and men thing.doc = Archive : Embedded
142 C:\Documents and Settings\T\My Documents\english of mice and men.doc = Archive : Embedded
143 C:\Documents and Settings\T\My Documents\english Outline.doc = Archive : Embedded
144 C:\Documents and Settings\T\My Documents\english paper.doc = Archive : Embedded
145 C:\Documents and Settings\T\My Documents\english pres. notecards.doc = Archive : Embedded
146 C:\Documents and Settings\T\My Documents\english pres. outline'.doc = Archive : Embedded
147 C:\Documents and Settings\T\My Documents\english questions.doc = Archive : Embedded
148 C:\Documents and Settings\T\My Documents\english research paper.doc = Archive : Embedded
149 C:\Documents and Settings\T\My Documents\english sonnet paper.doc = Archive : Embedded
150 C:\Documents and Settings\T\My Documents\english sonnet.doc = Archive : Embedded
151 C:\Documents and Settings\T\My Documents\english thing that is stupid.doc = Archive : Embedded
152 C:\Documents and Settings\T\My Documents\english visual.doc = Archive : Embedded
153 C:\Documents and Settings\T\My Documents\English visual.ppt = Archive : Embedded
154 C:\Documents and Settings\T\My Documents\English Vocabulary Final Words.doc = Archive : Embedded
155 C:\Documents and Settings\T\My Documents\English Vocabulary Study Guide.doc = Archive : Embedded
156 C:\Documents and Settings\T\My Documents\Englsih works cited.doc = Archive : Embedded
157 C:\Documents and Settings\T\My Documents\french biblio.doc = Archive : Embedded
158 C:\Documents and Settings\T\My Documents\french brochure 2.doc = Archive : Embedded
159 C:\Documents and Settings\T\My Documents\french brochure.doc = Archive : Embedded
160 C:\Documents and Settings\T\My Documents\french health script.doc = Archive : Embedded
161 C:\Documents and Settings\T\My Documents\french list.doc = Archive : Embedded
162 C:\Documents and Settings\T\My Documents\french monaco script.doc = Archive : Embedded
163 C:\Documents and Settings\T\My Documents\French paper.doc = Archive : Embedded
164 C:\Documents and Settings\T\My Documents\french review.doc = Archive : Embedded
165 C:\Documents and Settings\T\My Documents\french script.doc = Archive : Embedded
166 C:\Documents and Settings\T\My Documents\french story.doc = Archive : Embedded
167 C:\Documents and Settings\T\My Documents\german children.doc = Archive : Embedded
168 C:\Documents and Settings\T\My Documents\Golgi Bodies.doc = Archive : Embedded
169 C:\Documents and Settings\T\My Documents\Good Shape Script.doc = Archive : Embedded
170 C:\Documents and Settings\T\My Documents\Hammurabi.doc = Archive : Embedded
171 C:\Documents and Settings\T\My Documents\H's birthday note.doc = Archive : Embedded
172 C:\Documents and Settings\T\My Documents\history han and rome papr.doc = Archive : Embedded
173 C:\Documents and Settings\T\My Documents\history journal.doc = Archive : Embedded
174 C:\Documents and Settings\T\My Documents\history paper.doc = Archive : Embedded
175 C:\Documents and Settings\T\My Documents\history religion.doc = Archive : Embedded
176 C:\Documents and Settings\T\My Documents\holocaust.doc = Archive : Embedded
177 C:\Documents and Settings\T\My Documents\interview.doc = Archive : Embedded
178 C:\Documents and Settings\T\My Documents\Inews.doc = Archive : Embedded
179 C:\Documents and Settings\T\My Documents\jewish resistance.doc = Archive : Embedded
180 C:\Documents and Settings\T\My Documents\Limerick by A.doc = Archive : Embedded
181 C:\Documents and Settings\T\My Documents\lord of the flis.doc = Archive : Embedded
182 C:\Documents and Settings\T\My Documents\math assignment.doc = Archive : Embedded
183 C:\Documents and Settings\T\My Documents\math proj.doc = Archive : Embedded
184 C:\Documents and Settings\To\My Documents\meiosis study guide.doc = Archive : Embedded
185 C:\Documents and Settings\T\My Documents\mitosis meiosis study guide.doc = Archive : Embedded
186 C:\Documents and Settings\T\My Documents\Myth on Why Water is Clear.doc = Archive : Embedded
187 C:\Documents and Settings\T\My Documents\nothing makes you free.doc = Archive : Embedded
188 C:\Documents and Settings\T\My Documents\participation.doc = Archive : Embedded
189 C:\Documents and Settings\T\My Documents\p bio evaluation.doc = Archive : Embedded
190 C:\Documents and Settings\T\My Documents\P new scholarship letter.doc = Archive : Embedded
191 C:\Documents and Settings\T\My Documents\P App.doc = Archive : Embedded
192 C:\Documents and Settings\T\My Documents\psych development paper.doc = Archive : Embedded
193 C:\Documents and Settings\T\My Documents\Rel Bibliography.doc = Archive : Embedded
194 C:\Documents and Settings\T\My Documents\religion biblio.doc = Archive : Embedded
195 C:\Documents and Settings\T\My Documents\religion cover.doc = Archive : Embedded
196 C:\Documents and Settings\T\My Documents\religion newspaper.doc = Archive : Embedded
197 C:\Documents and Settings\T\My Documents\religion script project.doc = Archive : Embedded
198 C:\Documents and Settings\T\My Documents\religion script.doc = Archive : Embedded
199 C:\Documents and Settings\T\My Documents\religion study guide.doc = Archive : Embedded
200 C:\Documents and Settings\T\My Documents\religion The Book of Titus.doc = Archive : Embedded
201 C:\Documents and Settings\T\My Documents\Review questions a.doc = Archive : Embedded
202 C:\Documents and Settings\T\My Documents\senior course schedule.doc = Archive : Embedded
203 C:\Documents and Settings\T\My Documents\separate peace 5 para. essay.doc = Archive : Embedded
204 C:\Documents and Settings\T\My Documents\separate peace ch1 & 2.doc = Archive : Embedded
205 C:\Documents and Settings\T\My Documents\Separate Peace.doc = Archive : Embedded
206 C:\Documents and Settings\T\My Documents\serf.doc = Archive : Embedded
207 C:\Documents and Settings\T\My Documents\sexism.ppt = Archive : Embedded
208 C:\Documents and Settings\T\My Documents\st b.doc = Archive : Embedded
209 C:\Documents and Settings\T\My Documents\st t scholarship.doc = Archive : Embedded
210 C:\Documents and Settings\T\My Documents\St. P's exit letter.doc = Archive : Embedded
211 C:\Documents and Settings\T\My Documents\teen driving.doc = Archive : Embedded
212 C:\Documents and Settings\T\My Documents\The Book of Titus.ppt = Archive : Embedded
213 C:\Documents and Settings\T\My Documents\Th.doc = Archive : Embedded
214 C:\Documents and Settings\T\My Documents\Think and Write Questions pg. A31.doc = Archive : Embedded
215 C:\Documents and Settings\T\My Documents\Two Different Sides.doc = Archive : Embedded
216 C:\Documents and Settings\T\My Documents\Wolf Ridge Field Trip Questions.doc = Archive : Embedded
217 C:\Documents and Settings\T\My Documents\wolf ridge questions.doc = Archive : Embedded
218 C:\Documents and Settings\T\My Documents\~WRL0003.tmp = Archive : Embedded
219 C:\Documents and Settings\T\My Documents\~WRL1059.tmp = Archive : Embedded
220 C:\Documents and Settings\T\Templates\winword.doc = Archive : Embedded
221 C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\PRO11.MSI = Archive : Embedded
222 C:\Program Files\Common Files\Wise Installation Wizard\WISF34D9A5F484A4E31A9D3908CB265B289_5_6_2808.MSI = Archive : Embedded
223 C:\Program Files\iPod\iPod Updater 2004-08-06\readme.doc = Archive : Embedded
224 C:\Program Files\Microsoft Office\Office10\WEBPAGE.WIZ = Archive : Embedded
225 C:\Program Files\Microsoft Office\Office10\1033\EMAIL.DOT = Archive : Embedded
226 C:\Program Files\Microsoft Office\Office10\1033\EXPTOOWS.XLA = Archive : Embedded
227 C:\Program Files\Microsoft Office\Office10\1033\QUIKANIM.PPT = Archive : Embedded
228 C:\Program Files\Microsoft Office\Office10\Library\HTML.XLA = Archive : Embedded
229 C:\Program Files\Microsoft Office\Office10\Samples\SAMPLES.XLS = Archive : Embedded
230 C:\Program Files\Microsoft Office\Office10\Samples\SOLVSAMP.XLS = Archive : Embedded
231 C:\Program Files\Microsoft Office\Templates\1033\Business Plan.pot = Archive : Embedded
232 C:\Program Files\Microsoft Office\Templates\1033\Communicating Bad News.pot = Archive : Embedded
233 C:\Program Files\Microsoft Office\Templates\1033\Contemporary Fax.dot = Archive : Embedded
234 C:\Program Files\Microsoft Office\Templates\1033\Contemporary Letter.dot = Archive : Embedded
235 C:\Program Files\Microsoft Office\Templates\1033\Contemporary Memo.dot = Archive : Embedded
236 C:\Program Files\Microsoft Office\Templates\1033\Contemporary Resume.dot = Archive : Embedded
237 C:\Program Files\Microsoft Office\Templates\1033\CONTMADR.DOT = Archive : Embedded
238 C:\Program Files\Microsoft Office\Templates\1033\CONTMFAX.DOT = Archive : Embedded
239 C:\Program Files\Microsoft Office\Templates\1033\CONTMLTR.DOT = Archive : Embedded
240 C:\Program Files\Microsoft Office\Templates\1033\Elegant Fax.dot = Archive : Embedded
241 C:\Program Files\Microsoft Office\Templates\1033\Elegant Letter.dot = Archive : Embedded
242 C:\Program Files\Microsoft Office\Templates\1033\Elegant Memo.dot = Archive : Embedded
243 C:\Program Files\Microsoft Office\Templates\1033\Elegant Resume.dot = Archive : Embedded
244 C:\Program Files\Microsoft Office\Templates\1033\ELEGMADR.DOT = Archive : Embedded
245 C:\Program Files\Microsoft Office\Templates\1033\ELEGMFAX.DOT = Archive : Embedded
246 C:\Program Files\Microsoft Office\Templates\1033\ELEGMLTR.DOT = Archive : Embedded
247 C:\Program Files\Microsoft Office\Templates\1033\Envelope Wizard.wiz = Archive : Embedded
248 C:\Program Files\Microsoft Office\Templates\1033\Fax Wizard.wiz = Archive : Embedded
249 C:\Program Files\Microsoft Office\Templates\1033\Financial Overview.pot = Archive : Embedded
250 C:\Program Files\Microsoft Office\Templates\1033\Generic.pot = Archive : Embedded
251 C:\Program Files\Microsoft Office\Templates\1033\LABEL.WIZ = Archive : Embedded
252 C:\Program Files\Microsoft Office\Templates\1033\Letter Wizard.wiz = Archive : Embedded
253 C:\Program Files\Microsoft Office\Templates\1033\Marketing Plan.pot = Archive : Embedded
254 C:\Program Files\Microsoft Office\Templates\1033\Memo Wizard.wiz = Archive : Embedded
255 C:\Program Files\Microsoft Office\Templates\1033\MERGELTR.DOT = Archive : Embedded
256 C:\Program Files\Microsoft Office\Templates\1033\Motivating A Team.pot = Archive : Embedded
257 C:\Program Files\Microsoft Office\Templates\1033\Products And Services Overview.pot = Archive : Embedded
258 C:\Program Files\Microsoft Office\Templates\1033\Professional Fax.dot = Archive : Embedded
259 C:\Program Files\Microsoft Office\Templates\1033\Professional Letter.dot = Archive : Embedded
260 C:\Program Files\Microsoft Office\Templates\1033\Professional Memo.dot = Archive : Embedded
261 C:\Program Files\Microsoft Office\Templates\1033\Professional Resume.dot = Archive : Embedded
262 C:\Program Files\Microsoft Office\Templates\1033\PROFMADR.DOT = Archive : Embedded
263 C:\Program Files\Microsoft Office\Templates\1033\PROFMFAX.DOT = Archive : Embedded
264 C:\Program Files\Microsoft Office\Templates\1033\PROFMLTR.DOT = Archive : Embedded
265 C:\Program Files\Microsoft Office\Templates\1033\Project Overview.pot = Archive : Embedded
266 C:\Program Files\Microsoft Office\Templates\1033\Recommending A Strategy.pot = Archive : Embedded
267 C:\Program Files\Microsoft Office\Templates\1033\Reporting Progress or Status.pot = Archive : Embedded
268 C:\Program Files\Microsoft Office\Templates\1033\Resume Wizard.wiz = Archive : Embedded
269 C:\Program Files\Microsoft Office\Templates\1033\Selling a Product or Service.pot = Archive : Embedded
270 C:\Program Files\Microsoft Office\Templates\1033\Selling Your Ideas.pot = Archive : Embedded
271 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Balance.pot = Archive : Embedded
272 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Blends.pot = Archive : Embedded
273 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Capsules.pot = Archive : Embedded
274 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Compass.pot = Archive : Embedded
275 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Crayons.pot = Archive : Embedded
276 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Curtain Call.pot = Archive : Embedded
277 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Digital Dots.pot = Archive : Embedded
278 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Edge.pot = Archive : Embedded
279 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Fading Grid.pot = Archive : Embedded
280 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Fireworks.pot = Archive : Embedded
281 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Glass Layers.pot = Archive : Embedded
282 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Globe.pot = Archive : Embedded
283 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Kimono.pot = Archive : Embedded
284 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Maple.pot = Archive : Embedded
285 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Mountain Top.pot = Archive : Embedded
286 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Network.pot = Archive : Embedded
287 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Ocean.pot = Archive : Embedded
288 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Pixel.pot = Archive : Embedded
289 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Profile.pot = Archive : Embedded
290 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Proposal.pot = Archive : Embedded
291 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Slit.pot = Archive : Embedded
292 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Stream.pot = Archive : Embedded
293 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Textured.pot = Archive : Embedded
294 C:\Program Files\Microsoft Office\Templates\Presentation Designs\Watermark.pot = Archive : Embedded
295 C:\Program Files\Norton AntiVirus\Quarantine\12AB0CF2.hta = Infected : Trojan-Downloader.VBS.Inor.cj
296 C:\Program Files\Norton AntiVirus\Quarantine\1B2E2283.exe = Infected : Trojan.Win32.StartPage.it
297 C:\Program Files\Norton AntiVirus\Quarantine\1B3F7471.htm = Infected : Exploit.HTML.Mht
298 C:\Program Files\Norton AntiVirus\Quarantine\268604A0.exe = Infected : Trojan-Dropper.Win32.Small.wv
299 C:\Program Files\Norton AntiVirus\Quarantine\26A264D5.hta = Infected : Trojan-Downloader.VBS.Inor.cj
300 C:\Program Files\Norton AntiVirus\Quarantine\26A50ED1.hta = Infected : Trojan-Downloader.VBS.Inor.cj
301 C:\Program Files\Norton AntiVirus\Quarantine\26A838CE.hta = Infected : Trojan-Downloader.VBS.Inor.cj
302 C:\Program Files\Norton AntiVirus\Quarantine\292D7EC2.htm = Infected : Exploit.HTML.Mht
303 C:\Program Files\Norton AntiVirus\Quarantine\2AF93B8D.hta = Infected : Trojan-Downloader.VBS.Inor.cj
304 C:\Program Files\Norton AntiVirus\Quarantine\2ED10E6E.exe = Infected : Trojan-Downloader.Win32.Agent.am
305 C:\Program Files\Norton AntiVirus\Quarantine\3F996A9C.htm = Infected : Exploit.HTML.Mht
306 C:\Program Files\Norton AntiVirus\Quarantine\40D35D72.hta = Infected : Trojan-Downloader.VBS.Inor.cj
307 C:\Program Files\Norton AntiVirus\Quarantine\40D7076F.hta = Infected : Trojan-Downloader.VBS.Inor.cj
308 C:\Program Files\Norton AntiVirus\Quarantine\40F0098B.exe = Infected : Trojan-Downloader.Win32.Small.aou
309 C:\Program Files\Norton AntiVirus\Quarantine\4F3433A0.htm = Infected : Exploit.HTML.Mht
310 C:\Program Files\Norton AntiVirus\Quarantine\539A023D.htm = Infected : Exploit.HTML.Mht
311 C:\Program Files\Norton AntiVirus\Quarantine\54761EB2.htm = Infected : Exploit.HTML.Mht
312 C:\Program Files\Norton AntiVirus\Quarantine\61B45C20.htm = Suspicion : Exploit.HTML.Mht
313 C:\Program Files\Norton AntiVirus\Quarantine\67E060B7.hta = Infected : Trojan-Downloader.VBS.Inor.cj
314 C:\Program Files\Norton AntiVirus\Quarantine\725B07D1.exe = Infected : Trojan.Win32.StartPage.ag
315 C:\Program Files\Norton AntiVirus\Quarantine\7D930F6B.hta = Infected : Trojan-Downloader.VBS.Inor.cj
316 C:\WINDOWS\Downloaded Installations\{32CD4CE7-F36D-490E-BA62-61D62D2FCBD3}\SpyBouncer.msi = Archive : Embedded
317 C:\WINDOWS\Downloaded Installations\{628E8630-7947-49EA-BE90-7F8BFF77A79C}\iTunes.msi = Archive : Embedded
318 C:\WINDOWS\Downloaded Installations\{8A232810-B5F1-48DD-A63D-B439D7680D94}\iTunes.msi = Archive : Embedded
319 C:\WINDOWS\Downloaded Installations\{DD65880B-0030-4FED-90EF-4420BB7AF96C}\iTunes.msi = Archive : Embedded
320 C:\WINDOWS\Installer\11d21b4.msi = Archive : Embedded
321 C:\WINDOWS\Installer\199f592.msi = Archive : Embedded
322 C:\WINDOWS\Installer\1eb5ee8.msi = Archive : Embedded
323 C:\WINDOWS\Installer\22363d.msi = Archive : Embedded
324 C:\WINDOWS\Installer\39c0b.msi = Archive : Embedded
325 C:\WINDOWS\Installer\39c0f.msi = Archive : Embedded
326 C:\WINDOWS\Installer\39c17.msi = Archive : Embedded
327 C:\WINDOWS\Installer\9c471b.msi = Archive : Embedded
328 C:\WINDOWS\Installer\a68b6.msi = Archive : Embedded
329 C:\WINDOWS\Installer\decaad.msi = Archive : Embedded
330 C:\WINDOWS\ShellNew\PWRPNT10.POT = Archive : Embedded
331 C:\WINDOWS\ShellNew\WINWORD8.DOC = Archive : Embedded
332 C:\WINDOWS\system32\browselc.dll = Archive : Embedded HTML
333 C:\WINDOWS\system32\hhk.dll = Infected : Trojan-Clicker.Win32.Agent.dj
334 C:\WINDOWS\system32\mshtmler.dll = Archive : Embedded HTML
335 C:\WINDOWS\system32\shdoclc.dll = Archive : Embedded HTML
336 C:\WINDOWS\system32\webfldrs.msi = Archive : Embedded
337 C:\WINDOWS\system32\Com\comempty.dat = Archive : Embedded
338 C:\WINDOWS\system32\config\systemprofile\Templates\winword.doc = Archive : Embedded
339 C:\WINDOWS\system32\dllcache\browselc.dll = Archive : Embedded HTML
340 C:\WINDOWS\system32\dllcache\mshtmler.dll = Archive : Embedded HTML
341 C:\WINDOWS\system32\dllcache\shdoclc.dll = Archive : Embedded HTML


=== End of Log ===





Here's the HJT log


Logfile of HijackThis v1.99.1
Scan saved at 7:55:35 PM, on 5/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom Hangge\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


Thanks.

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 31 May 2005 - 04:30 AM

Can you post the results of the Ewido Scan please!!!

I will have a look when I get in from work!

#5 perplexed22

perplexed22
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 31 May 2005 - 04:19 PM

sorry.. it never said to post the ewido log.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:18:10 PM, 5/30/2005
+ Report-Checksum: 38289486

+ Date of database: 5/30/2005
+ Version of scan engine: v3.0

+ Duration: 100 min
+ Scanned Files: 61052
+ Speed: 10.10 Files/Second
+ Infected files: 58
+ Removed files: 58
+ Files put in quarantine: 58
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\A\Cookies\a@dcsew60m1oifwznbkznc6j9ix_5x7j[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\N\Cookies\n@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\N\Cookies\n@myway[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\P\Local Settings\Temp\tmp2.tmp -> TrojanDownloader.Murlo.w -> Cleaned with backup
C:\Documents and Settings\T\Application Data\Webroot\Spy Sweeper\Backup\Startup\Paint.exe.bak -> TrojanDownloader.Agent.am -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@247realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@75397623[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@adopt.hotbar[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@ads.180solutions[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@adsremote.scripps[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@bfast[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@data.coremetrics[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@dcsd1d1i82ag4x7wqyv973xe3_1z4t[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@ehg-talbots.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@ehg.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@free.aol[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@linksynergy[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@S140421[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@S154742[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@www.shopathomeselect[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Local Settings\Temp\Del7.tmp -> Spyware.180solutions -> Cleaned with backup
C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\4DQFG5EF\nem220[1].dll -> TrojanDownloader.Dyfuca -> Cleaned with backup
C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\W1YZ0HQV\MediaAccC[1].dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\W9QNGDI7\MediaAccess[1].exe -> Spyware.WinAD.am -> Cleaned with backup
C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\W9QNGDI7\MediaAccK[1].exe -> Spyware.WinAD -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050507-153747-487.dll -> TrojanDownloader.Agent.li -> Cleaned with backup
C:\Program Files\Internet Optimizer\optimize.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
C:\Program Files\Media Access\MediaAccC.dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\Program Files\Media Access\MediaAccK.exe -> Spyware.WinAD -> Cleaned with backup
C:\temp\EDow.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\temp\EDowPack.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\temp\salmhook.dll -> Spyware.180solutions -> Cleaned with backup
C:\WINDOWS\70tovmto.exe -> Spyware.Sahat.o -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD -> Cleaned with backup
C:\WINDOWS\system32\AWM226.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\ehesrcht.exe -> TrojanDropper.Agent.ka -> Cleaned with backup
C:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\WINDOWS\system32\q17i9a4j.exe -> Spyware.Sahat.o -> Cleaned with backup
C:\WINDOWS\system32\wpnpontr.dll -> Backdoor.Srvlite -> Cleaned with backup
C:\WINDOWS\system32\ѕеrvices.exe -> Spyware.PurityScan.aa -> Cleaned with backup


::Report End

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 June 2005 - 06:13 AM

OK...things are looking better....is the PC acting any better?

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/

R3 - Default URLSearchHook is missing

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Locate and Delete

C:\WINDOWS\Downloaded\Installations\{32CD4CE7-F36D-490E-BA62-61D62D2FCBD3}

C:\WINDOWS\system32\hhk.dll

CleanUp! 4.0
http://downloads.stevengould.org/cleanup/CleanUp40.exe

Run CleanUp!

Click "Cleanup" and it will Scan and Remove all available Temp files>Click "Close">Click "Yes" to Logoff!

This will clean out all loose and Un Needed Temp files!

Since it looks like you have scanned once before at the Panda Site...Please Scan again and Save the Report and POst it back here with a fresh HijackThis log!

#7 perplexed22

perplexed22
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  

Posted 03 June 2005 - 06:11 PM

here's the panda active scan log


Incident Status Location

Adware:Adware/Ucmore No disinfected Windows Registry
Adware:Adware/SaveNow No disinfected C:\WINDOWS\System32\ap2nqrd4.dat
Spyware:Spyware/BargainBuddy No disinfected Windows Registry
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Internet Optimizer
Spyware:Spyware/DynaDesk No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\WINDOWS\browserxtras\pn\remove.exe
Adware:Adware/BrowserAid No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\System32\ritsacnk.dat
Adware:Adware/SafeSearch No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\DOCUME~1\TOMHAN~1\LOCALS~1\Temp\cfout.txt
Adware:Adware/FavoriteMan No disinfected Windows Registry
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\System32\a.exe
Adware:Adware/VirtualBouncer No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/NavHelper No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/SideStep No disinfected Windows Registry
Adware:Adware/WildTangent No disinfected C:\WINDOWS\wt
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/SuperSpider No disinfected C:\Program Files\Q330994.exe
Spyware:Spyware/Whazit No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys???.exe
Adware:Adware/Gogotools No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\T\Favorites\Network Security.url
Adware:Adware/Virmaid No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\T\Favorites\Network Security.url
Adware:Adware/WUpd No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\3YWCYURN\Loco%20Lyrics[1].htm
Adware:Adware/WinAD No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\EL4XYL4L\bridge-c8[1].cab
Adware:Adware/WinAD No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\EL4XYL4L\bridge-c8[1].cab[MediaAccX.dll]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\EL4XYL4L\The_Upside_Of_Being_Down[1].htm
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\G1Q3OHE3\CAQJS5M7.HTM
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\M92R0PIB\c-note-tell-me-where-it-hurts-lyrics[1].htm
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\MKZWDHDI\phil-vassar-six-pack-summer-lyrics[1].htm
Adware:Adware/WUpd No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\W1YZ0HQV\blame-it-on-mama-lyrics[1].htm
Adware:Adware/SuperSpider No disinfected C:\m.exe
Adware:Adware/SuperSpider No disinfected C:\mssys.com
Adware:Adware/SuperSpider No disinfected C:\Program Files\q330994.exe
Adware:Adware/SuperSpider No disinfected C:\q250204.exe
Adware:Adware/Popuper No disinfected C:\RECYCLER\S-1-5-21-1292428093-688789844-1060284298-1004\Dc72.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/KeenValue No disinfected C:\WINDOWS\browserxtras\pn\remove.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\cvchost.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msstasks.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\mssys.com
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\mstaskss.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\rocky.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\runwin32.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system\system.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system\wmscrop.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\a.exe
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\ap2nqrd4.dat
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\ap9h4qmo.ini
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\baur5s9q.dat
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\system32\bridge.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\d2kpax.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\d2kpax.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\jac.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\mcc.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\msxslab.dll
Adware:Adware/Virmaid No disinfected C:\WINDOWS\system32\perfcii.ini
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\q10pvbrv.dat
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\q17i9a4j.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\services
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\wininet32.exe
Adware:Adware/SuperSpider No disinfected C:\winspec.dat
and the HJT log



Logfile of HijackThis v1.99.1
Scan saved at 6:10:47 PM, on 6/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom Hangge\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



the computer seems to be working better now, but is there still something on it?

Edited by perplexed22, 03 June 2005 - 06:11 PM.


#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 03 June 2005 - 08:01 PM

Wow,thats a list of Infected files!!!

Are you using your Wireless Connection on this PC??

Download Pocket KillBox from here:
http://www.bleepingcomputer.com/files/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

AdawareSE 1.06
http://www.bleepingcomputer.com/forums/ind...showtutorial=48

The link will tell you how to Install>Update>Configure and Scan!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Once in Safe Mode,Open a blank Note pad page and Copy&Paste the List below to it

C:\m.exe
C:\mssys.com
C:\q250204.exe
C:\winspec.dat
C:\WINDOWS\wt
C:\WINDOWS\alchem.ini
C:\WINDOWS\browserxtras\pn\remove.exe
C:\WINDOWS\browserxtras\pn
C:\WINDOWS\browserxtras
C:\WINDOWS\cvchost.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system.exe
C:\WINDOWS\wininet32.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system\wmscrop.exe
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\ap2nqrd4.dat
C:\WINDOWS\system32\ap9h4qmo.ini
C:\WINDOWS\system32\baur5s9q.dat
C:\WINDOWS\system32\bridge.dll
C:\WINDOWS\system32\d2kpax.dll
C:\WINDOWS\system32\d2kpax.exe
C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\mcc.exe
C:\WINDOWS\system32\msxslab.dll
C:\WINDOWS\system32\perfcii.ini
C:\WINDOWS\system32\q10pvbrv.dat
C:\WINDOWS\system32\q17i9a4j.ini
C:\WINDOWS\system32\ritsacnk.dat
C:\WINDOWS\system32\services
C:\Documents and Settings\T\Favorites\Network Security.url
C:\Program Files\Internet Optimizer
C:\Program Files\Q330994.exe


Once Copied to Notepad>>Highlight the list of files>>Right Click and Select Copy!

Open Pocket Killbox>>Click File>>Click Paste to Clipboard!

You should now see the first file in the list and if you click the down arrow you should see the entire list!

If not you will have to enter them one at a time and follow the instructions below!

Once the files are entered,please plac a tick by any of these available!

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Once those are ticked,Click the Red Circle with the White X in the Middle to Delete!!

Repeat until all files have been deleted!

If you get to a file that killbox wont delete,write the name and path down and go on to the next file!

Scan with Ad Aware and Delete all it finds and remove all Quaratine files!

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

C:\Temp

C:\Windows\Temp

C:\Windows\System32\Temp

C:\Documents and Settings\Owner\Local Settings\Temp

C:\Documents and Settings\<Your Profile>\Local Settings\Temp

C:\Documents and Settings\<All other users Profile>\Local Settings\Temp

Empty your "Recycle Bin"

Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning!!)

Once the first pass is complete,if you have any files in killbox that wouldnt delete,paste them back into killbox and select

"Delete on Reboot"

If more than 1 file

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot

If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.

Restart Normal and Scan with Panda again to be sure all bugs are gone!

Edited by Cretemonster, 03 June 2005 - 08:03 PM.


#9 perplexed22

perplexed22
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 06 June 2005 - 04:20 PM

Well I'm not sure what you need..

1. I'm not using a wireless connection. It's broadband cable.

2. Here's the Panda Scan stuff-


Incident Status Location

Virus:Trj/Downloader.DAI Disinfected Operating system
Adware:Adware/Ucmore No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\System32\SahImages
Adware:Adware/SafeSearch No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\T\Favorites\Network Security.url
Adware:Adware/Virmaid No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\T\\Favorites\Network Security.url
Adware:Adware/WUpd No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\3YWCYURN\Loco%20Lyrics[1].htm
Adware:Adware/WinAD No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\EL4XYL4L\bridge-c8[1].cab
Adware:Adware/WinAD No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\EL4XYL4L\bridge-c8[1].cab[MediaAccX.dll]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\EL4XYL4L\The_Upside_Of_Being_Down[1].htm
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\G1Q3OHE3\CAQJS5M7.HTM
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\MKZWDHDI\phil-vassar-six-pack-summer-lyrics[1].htm
Adware:Adware/WUpd No disinfected C:\Documents and Settings\T\Local Settings\Temporary Internet Files\Content.IE5\W1YZ0HQV\blame-it-on-mama-lyrics[1].htm
Adware:Adware/Popuper No disinfected C:\RECYCLER\S-1-5-21-1292428093-688789844-1060284298-1004\Dc72.dll

3. and here's a HJT log incase you want it

Logfile of HijackThis v1.99.1
Scan saved at 4:20:05 PM, on 6/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom Hangge\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe




Sorry this is so late. I've been very busy these past few days. The computer is working better though now.

Thanks.

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 June 2005 - 05:25 PM

I am not so convinced there isnt a hidden downloader in the system somwhere,it appears you are still picking up infections!

I need you to run 2 scans for a specific type of infection and lets see what those show us!

Please Download F-Secure Blacklight:
http://www.f-secure.com/blacklight/try.shtml

Once at the page,Click "I Accept">>Then Click "Download"!

Once Downloaded,Double Click blbeta.exe to Start it,then Click "I accept the agreement" and click "Next"!

Now Click "Scan" and let it do its thing,if it finds anything you will be prompted to "Rename">>Please do not Rename these files,just save the Report and write down wny file names it returns!

If all went well,look back in the folder that blbeta.exe resides in,there you should see "fsbl.log"

If Blacklight identified anything,it will be in that log,I will need to see those Results!

Please download RKFiles.zip and unzip it to its own permanent folder.
http://skads.org/special/rkfiles.zip

Restart in Safe Mode!

Once in Safe Mode,Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take quite a while so please be patient!

Wait until the DOS window closes!

Now Click Start>>Click Search>>Select All Files and Folders>Select Advanced Options>>Make sure there is a check by these 3:

Search System Folders
Search hidden files and folders
Search Subfolders


Now under All Files and Folders,enter this into the text box:

msmsgs.exe

Please write down whatever returns you get and post them back here!

Restart in Normal Mode and Locate C:\log.txt and fsbl.log

Update Ewido and Scan the System and Save the Report!

Post both logs I asked for>>The log from Ewido and a Fresh HijackThis log!

#11 perplexed22

perplexed22
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  

Posted 12 June 2005 - 08:24 PM

Here's the first scan..

06/12/05 20:21:08 [Info]: *** F-Secure BlackLight Beta 1.5.1002 started
06/12/05 20:21:08 [Info]: OS version: 5.1 build 2600 (Service Pack 1)
06/12/05 20:21:23 [Info]: User initiated system scan
06/12/05 20:21:23 [Info]: Process scan started
06/12/05 20:21:24 [Info]: Process scan done
06/12/05 20:21:24 [Info]: Filesystem scan started
06/12/05 20:21:24 [Info]: Filesystem scan engine version: 1.7 (build 1008)
06/12/05 20:21:24 [Note]: Running normal mode scan
06/12/05 20:22:17 [Info]: Filesystem scan completed


Then...

C:\Documents and Settings\T\My Documents\Desktop Fixers\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\msmsgs.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
Bye


and...


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:28:30 PM, 6/12/2005
+ Report-Checksum: 55AA31D2

+ Date of database: 6/13/2005
+ Version of scan engine: v3.0

+ Duration: 77 min
+ Scanned Files: 49342
+ Speed: 10.54 Files/Second
+ Infected files: 30
+ Removed files: 30
+ Files put in quarantine: 30
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\T\Cookies\t@247realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@77618526[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@ar.atwola[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@cgi-bin[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@ehg-brooksbrothers.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@ehg-chicos.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@secure.ads.as4x.tmcs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@twci.coremetrics[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@www.burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\lo931380282.exe -> TrojanDownloader.Zlob.n -> Cleaned with backup
C:\WINDOWS\msi.exe -> Backdoor.IRCBot.bm -> Cleaned with backup
C:\WINDOWS\system32\msmsgs.exe -> TrojanDownloader.Zlob.G -> Cleaned with backup


::Report End


then there's this..


Logfile of HijackThis v1.99.1
Scan saved at 11:36:50 PM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom Hangge\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe





and then this is what was found when I searched for msmgsg.exe--

MSMSGS.EXE-124D63BE.p

msmsgs.exe




I hope that's everything.. I'm really sorry I'm not posting as quickly as I should. I sort of forgot about it, but I will be on top of it until this is over.

Thanks.

Edited by perplexed22, 12 June 2005 - 11:38 PM.


#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 June 2005 - 03:27 AM

OK,I am finally home for a while now,I apologize for all the delays!

Can you still locate the MSMSGS.EXE-124D63BE.p file and have it scanned here
http://www.kaspersky.com/scanforvirus

Also,will run another Scan with Ewido and lets see what it picks up this time!

Go ahead and Install these 2 little programs to add a bit of security to your browsing!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingcomputer.com/forums/ind...showtutorial=53
There is a direct download inside and great tutorial also!

Post back with any Info on how the PC is running and the results from Ewido and a fresh HijackThis log!

#13 perplexed22

perplexed22
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 15 June 2005 - 07:34 PM

Well MSMSGS.EXE-124D63BE.p wasn't found on my computer anymore.. I even simplified it to msmsgs.exe and nothing showed up still.

The computer is running a lot better than before and I don't think that initial symptom happened again actually.. but anyway, it works well.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:49:35 PM, 6/15/2005
+ Report-Checksum: AD9DFEE6

+ Date of database: 6/16/2005
+ Version of scan engine: v3.0

+ Duration: 62 min
+ Scanned Files: 50272
+ Speed: 13.32 Files/Second
+ Infected files: 16
+ Removed files: 15
+ Files put in quarantine: 15
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\T\Cookies\t@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@advertising[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\T\Cookies\t@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@c1.zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@data.coremetrics[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@ehg-bestbuy.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@ehg-talbots.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\T\Cookies\t@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 8:52:58 PM, on 6/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom Hangge\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Edited by perplexed22, 15 June 2005 - 08:54 PM.


#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2005 - 03:19 AM

Everything is looking peachy!!!!

Disable System Restore
http://service1.symantec.com/SUPPOR...src=sec_doc_nam

Restart the PC and Create a New Restore Point:

To create a new System Restore Point in Windows XP Home Edition, click Start -> All Programs -> Accessories -> System Tools -> System Restore. When the System Restore Utility opens, click "Create a Restore Point" then click Next. Enter a name for this Restore Point (for instance, "Before Installing Office XP"), and click Create. The utility will then take a snapshot of your system so that you can restore to that point sometime in the future.

Now Get Windows Updated to SP2:
http://windowsupdate.microsoft.com/

I think we can call it a clean machine now!

#15 perplexed22

perplexed22
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  

Posted 17 June 2005 - 09:13 PM

Disable System Restore
http://service1.symantec.com/SUPPOR...src=sec_doc_nam

this site wont work something about it not being found

Edited by perplexed22, 17 June 2005 - 09:16 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users