Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Gold and possibly more


  • This topic is locked This topic is locked
4 replies to this topic

#1 MusicMan1

MusicMan1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 09 July 2005 - 04:04 PM

Please help me ... my computer's been taken over.

Also, will this clean up affect ALL the users, or will I have to do this for each user?

Thank you so much. :thumbsup:



Logfile of HijackThis v1.99.1
Scan saved at 2:30:54 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\mswz32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\hookdump.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\Copy of HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\iiteo.dll/sp.html#36663
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xszen.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xszen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xszen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xszen.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\iiteo.dll/sp.html#36663
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xszen.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EA8BEFE9-0B89-2CDB-DFC7-BE42880CF0F3} - C:\WINDOWS\sdksa32.dll
O2 - BHO: Class - {F4FFB405-D2D9-F737-1B6D-FF0CD9DC8744} - C:\WINDOWS\system32\msww.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOL Instant Messenger] MSGINAV.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [winls.exe] C:\WINDOWS\system32\winls.exe
O4 - HKLM\..\Run: [mswz32.exe] C:\WINDOWS\system32\mswz32.exe
O4 - HKLM\..\Run: [atlij.exe] C:\WINDOWS\system32\atlij.exe
O4 - HKLM\..\Run: [javaej32.exe] C:\WINDOWS\system32\javaej32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [ipvz32.exe] C:\WINDOWS\ipvz32.exe
O4 - HKLM\..\RunOnce: [addqn32.exe] C:\WINDOWS\system32\addqn32.exe
O4 - HKLM\..\RunOnce: [addnc.exe] C:\WINDOWS\addnc.exe
O4 - HKLM\..\RunOnce: [atlws32.exe] C:\WINDOWS\system32\atlws32.exe
O4 - HKLM\..\RunOnce: [apigw32.exe] C:\WINDOWS\system32\apigw32.exe
O4 - HKLM\..\RunOnce: [javacl32.exe] C:\WINDOWS\system32\javacl32.exe
O4 - HKLM\..\RunOnce: [winfv32.exe] C:\WINDOWS\winfv32.exe
O4 - HKLM\..\RunOnce: [ipet32.exe] C:\WINDOWS\system32\ipet32.exe
O4 - HKLM\..\RunOnce: [cryo32.exe] C:\WINDOWS\system32\cryo32.exe
O4 - HKLM\..\RunOnce: [javalp.exe] C:\WINDOWS\javalp.exe
O4 - HKLM\..\RunOnce: [addko.exe] C:\WINDOWS\system32\addko.exe
O4 - HKLM\..\RunOnce: [ntdy32.exe] C:\WINDOWS\system32\ntdy32.exe
O4 - HKLM\..\RunOnce: [sdkcu32.exe] C:\WINDOWS\sdkcu32.exe
O4 - HKLM\..\RunOnce: [javatb32.exe] C:\WINDOWS\javatb32.exe
O4 - HKLM\..\RunOnce: [ielx32.exe] C:\WINDOWS\system32\ielx32.exe
O4 - HKLM\..\RunOnce: [ntqr32.exe] C:\WINDOWS\system32\ntqr32.exe
O4 - HKLM\..\RunOnce: [apikt.exe] C:\WINDOWS\apikt.exe
O4 - HKLM\..\RunOnce: [sysxv.exe] C:\WINDOWS\sysxv.exe
O4 - HKLM\..\RunOnce: [crnf32.exe] C:\WINDOWS\system32\crnf32.exe
O4 - HKLM\..\RunOnce: [winyb32.exe] C:\WINDOWS\winyb32.exe
O4 - HKLM\..\RunOnce: [appvf.exe] C:\WINDOWS\appvf.exe
O4 - HKLM\..\RunOnce: [appzn.exe] C:\WINDOWS\system32\appzn.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [sdkuz32.exe] C:\WINDOWS\system32\sdkuz32.exe
O4 - HKLM\..\RunOnce: [iefv.exe] C:\WINDOWS\iefv.exe
O4 - HKLM\..\RunOnce: [netro.exe] C:\WINDOWS\system32\netro.exe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\System32\shellexpl.exe en
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvtr.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp...23/cpbrkpie.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 AM

Posted 11 July 2005 - 07:35 AM

Hello,

Your hijackthislog isn't complete, because I'm missing a lot of running processes on top, unless you modified it yourself and deleted them out your log.
Please don't do this next time, because it is confusing.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

First of all, I want you to download and install another browser, because for the moment I strongly suggest NOT to use Internet Explorer, because everytime you open it, new malware is getting downloaded.
So, I want you to use Firefox instead to browse the web.
When your system is clean again, you can use your IE again.
Here you can find firefox to download: http://www.mozilla.org/products/firefox/

* Uninstall via add/remove next programs:

WildTangent
Viewpoint (Viewpoint Manager)
PSD Tools


REBOOT

°Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download and install CCleaner
Do not use it yet.

* Download CWShredder. Don't let it run yet!

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


open notepad and copy and paste next bold in it:
(do not forget to copy and paste REGEDIT4 in it!)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


Save this as fix.reg , choose to save as *all files and place it on your desktop.

We also need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Next, please reboot your computer in SafeMode by doing the following:
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
[*]Instead of Windows loading as normal, a menu should appear
[*]Select the first option, to run Windows in Safe Mode.

Doubleclick on fix.reg you made before and when it asks you if you want to add the contents to the registry, click yes/ok

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\iiteo.dll/sp.html#36663
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xszen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xszen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xszen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xszen.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\iiteo.dll/sp.html#36663
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xszen.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EA8BEFE9-0B89-2CDB-DFC7-BE42880CF0F3} - C:\WINDOWS\sdksa32.dll
O2 - BHO: Class - {F4FFB405-D2D9-F737-1B6D-FF0CD9DC8744} - C:\WINDOWS\system32\msww.dll
O4 - HKLM\..\Run: [AOL Instant Messenger] MSGINAV.EXE
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [winls.exe] C:\WINDOWS\system32\winls.exe
O4 - HKLM\..\Run: [mswz32.exe] C:\WINDOWS\system32\mswz32.exe
O4 - HKLM\..\Run: [atlij.exe] C:\WINDOWS\system32\atlij.exe
O4 - HKLM\..\Run: [javaej32.exe] C:\WINDOWS\system32\javaej32.exe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\System32\shellexpl.exe en
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvtr.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe


* Click on Fix Checked when finished and exit HijackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

*Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:

Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service


Please make sure it is exactly the same written as above, because there are also legit services that look very the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.

Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

*Start Aboutbuster and let it scan. When the scan is done and you choose exit, it will automatically create a log in the same folder where aboutbuster is in.

*Start Cwshredder and click FIX

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

Open Ad-aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the log smitfiles.txt (which you will find on your C:\) , the log from aboutbuster (which you will find on the aboutbuster-folder) and the Ewido Log by using Add Reply.
Let us know if any problems persist.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

Edited by miekiemoes, 11 July 2005 - 07:36 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 MusicMan1

MusicMan1
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 11 July 2005 - 07:30 PM

:thumbsup: wow ... i think i've got it ...

I downloaded Firefox, I couldn't use it to run Panda though, so I used IE.

Things seem to be getting better. :0) Anything else I need to do to get the computer running perfectly?

Can I turn the Microsoft Anti-Spy back on? Why doesn't Norton appear in the lower left hand screen anymore?

Hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 11:34:32 AM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Megan M\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp...23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE


smitfiles.txt:

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Not Infected!

aboutbuster:
AboutBuster 5.0 reference file 30
Scan started on [7/11/2005] at [10:30:31 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\afcpl.dat:gzrtss
Removed Stream! C:\WINDOWS\ahlpn.log:zdwtsj
Removed Stream! C:\WINDOWS\Belt.ini:ayhrc
Removed Stream! C:\WINDOWS\blocklist.reg:rivbuz
Removed Stream! C:\WINDOWS\erzjq.log:qwtgy
Removed Stream! C:\WINDOWS\FaxSetup.log:dbfxf
Removed Stream! C:\WINDOWS\fserz.dat:svgsw
Removed Stream! C:\WINDOWS\KB823182.log:gqkibr
Removed Stream! C:\WINDOWS\KB824141.log:zrdnwc
Removed Stream! C:\WINDOWS\KB839643.log:ngqkq
Removed Stream! C:\WINDOWS\KB885835.log:oopkm
Removed Stream! C:\WINDOWS\OCGEN.LOG:qpryu
Removed Stream! C:\WINDOWS\OEWABLog.txt:oatvpl
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:ztwgeg
Removed Stream! C:\WINDOWS\Q331953.log:tffyn
Removed Stream! C:\WINDOWS\Q810565.log:mcqid
Removed Stream! C:\WINDOWS\Q811630.log:jbflr
Removed Stream! C:\WINDOWS\Q819696.log:mujdo
Removed Stream! C:\WINDOWS\sfpin.txt:lktxp
Removed Stream! C:\WINDOWS\TSOC.LOG:vfwppz
Removed Stream! C:\WINDOWS\VBADDIN.INI:nxhdrc
Removed Stream! C:\WINDOWS\Zapotec.bmp:skunx
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:abbrfs
------------------------------------------------
Removed File! : C:\Windows\eiync.dat
Removed File! : C:\Windows\jqllo.dat
Removed File! : C:\Windows\kbwhn.dat
Removed File! : C:\Windows\kghvl.dat
Removed File! : C:\Windows\nalgd.dat
Removed File! : C:\Windows\utkbd.dat
Removed File! : C:\Windows\System32\mzfry.dat
Removed File! : C:\Windows\System32\otvmq.dat
Removed File! : C:\Windows\System32\vobek.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:31:08 AM


Ewido Log:
How do I find it??


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\Downloaded Program Files\VBouncerOuter*.exe
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Megan M\Application Data\Lycos
Adware:Adware/ISearch No disinfected C:\WINDOWS\downloaded program files\initial.inf
Adware:Adware/Coupons No disinfected Windows Registry
Virus:Trj/Downloader.CFJ Disinfected Operating system
Virus:Exploit/CodeBase.S No disinfected C:\abcxx.chm[1.htm]
Spyware:Spyware/Fstb No disinfected C:\abcxx.chm[htm2chm_explorer]
Virus:Exploit/CodeBase.S No disinfected C:\adwxx.chm[1.htm]
Spyware:Spyware/Fstb No disinfected C:\adwxx.chm[htm2chm_explorer]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mallory M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-446c19de-689290fe.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mallory M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-446c19de-689290fe.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mallory M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-446c19de-689290fe.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mallory M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-446c19de-689290fe.zip[Beyond.class]
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Mallory M\Local Settings\Temp\Belt.ini
Adware:Adware/AdultLink No disinfected C:\Documents and Settings\Mallory M\Local Settings\Temporary Internet Files\QaBar.cab[QaBar.inf]
Adware:Adware/AdultLink No disinfected C:\Documents and Settings\Mallory M\Local Settings\Temporary Internet Files\QaBar.inf
Virus:Trj/Classloader.B Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\in_s.class-5ad938ae-4574cab6.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-37c61f32-1f865baf.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-37c61f32-1f865baf.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-37c61f32-1f865baf.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-3f8f4c-45de9d7c.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-3f8f4c-45de9d7c.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-3f8f4c-45de9d7c.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-4814db93-7cc00dee.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-4814db93-7cc00dee.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-4814db93-7cc00dee.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-789d877d-132ec364.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-789d877d-132ec364.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-789d877d-132ec364.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1e972f17-639f6700.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1e972f17-639f6700.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1e972f17-639f6700.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1e972f17-639f6700.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1efb057f-64a2696f.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1efb057f-64a2696f.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1efb057f-64a2696f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1efb057f-64a2696f.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-218b9fe1-70119e43.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-218b9fe1-70119e43.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-218b9fe1-70119e43.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-218b9fe1-70119e43.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24a589a5-28e8a072.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24a589a5-28e8a072.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24a589a5-28e8a072.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24a589a5-28e8a072.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-37752ab9-110b3d34.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-37752ab9-110b3d34.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-37752ab9-110b3d34.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-37752ab9-110b3d34.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-40418cdc-10e60edf.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-40418cdc-10e60edf.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-40418cdc-10e60edf.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-40418cdc-10e60edf.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4becc945-72f9c58c.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4becc945-72f9c58c.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4becc945-72f9c58c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4becc945-72f9c58c.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6afd3d9e-52c54ca5.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6afd3d9e-52c54ca5.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6afd3d9e-52c54ca5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6afd3d9e-52c54ca5.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-d59d883-3b53458b.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-d59d883-3b53458b.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-d59d883-3b53458b.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-d59d883-3b53458b.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-46bbf436-18c2f69a.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dee06d5-3e0c89ff.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dee06d5-3e0c89ff.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dee06d5-3e0c89ff.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dee06d5-3e0c89ff.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-436f6ed8-1f1b8fa6.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-436f6ed8-1f1b8fa6.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-436f6ed8-1f1b8fa6.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-436f6ed8-1f1b8fa6.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-e2fa732-5f089d21.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-e2fa732-5f089d21.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-e2fa732-5f089d21.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-e2fa732-5f089d21.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5b275f4b-155c9417.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5b275f4b-155c9417.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5b275f4b-155c9417.zip[NudeBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5b275f4b-155c9417.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5b275f4b-155c9417.zip[VerifierBug.class]
Possible Virus. No disinfected C:\Documents and Settings\Mark M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5b275f4b-155c9417.zip[javautil.zip]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Mark M\Local Settings\Temp\biini.inf
Virus:W32/Spybot.MA.worm Disinfected C:\Documents and Settings\Mark M\Local Settings\Temp\fjkbv.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Local Settings\Temp\jar_cache30089.tmp[Jvb.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Mark M\Local Settings\Temp\jar_cache30089.tmp[MainApp.class]
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Mark M\Local Settings\Temp\kiec.exe
Virus:W32/Gaobot.batch Disinfected C:\Documents and Settings\Mark M\Local Settings\Temp\r.bat
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\Mark M\Local Settings\Temporary Internet Files\Content.IE5\01YZ4527\payload[1].ani
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\Mark M\Local Settings\Temporary Internet Files\Content.IE5\2L1EFIHO\sploit[1].anr
Virus:Exploit/Mhtredir.BS Disinfected C:\Documents and Settings\Mark M\Local Settings\Temporary Internet Files\Content.IE5\3YS3FTWL\counter[1].htm
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\Mark M\Local Settings\Temporary Internet Files\Content.IE5\3YS3FTWL\payload[1].ani
Virus:Exploit/Mhtredir.BS Disinfected C:\Documents and Settings\Mark M\Local Settings\Temporary Internet Files\Content.IE5\8F9BQ2F5\counter[2].htm
Virus:Exploit/HHelp Disinfected C:\Documents and Settings\Mark M\Local Settings\Temporary Internet Files\Content.IE5\8F9BQ2F5\start[1].htm
Virus:Exploit/MIE.CHM No disinfected C:\Documents and Settings\Mark M\Local Settings\Temporary Internet Files\Content.IE5\8F9BQ2F5\x[1].htm
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\Mark M\Local Settings\Temporary Internet Files\Content.IE5\ODM7WT2B\payload[1].ani
Adware:Adware/AdultLink No disinfected C:\Documents and Settings\Sherri M\Local Settings\Temporary Internet Files\QaBar.cab[QaBar.inf]
Adware:Adware/AdultLink No disinfected C:\Documents and Settings\Sherri M\Local Settings\Temporary Internet Files\QaBar.inf
Possible Virus. No disinfected C:\Program Files\Internet Explorer\dgfrjvww.exe
Virus:Exploit/CodeBase.S No disinfected C:\stasxx.chm[1.htm]
Spyware:Spyware/Fstb No disinfected C:\stasxx.chm[htm2chm_explorer]
Adware:Adware/EliteBar No disinfected C:\WINDOWS\blocklist.reg
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\flash.inf
Adware:Adware/ISearch No disinfected C:\WINDOWS\Downloaded Program Files\initial.inf
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\Downloaded Program Files\VBouncerOuter1123.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\biini.inf
Adware:Adware/Iagold No disinfected C:\WINDOWS\SYSTEM32\mlxjfzmg.dll

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 AM

Posted 11 July 2005 - 11:58 PM

Great! I see a clean hijackthislog.

Check and fix next leftovers in it:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =


It seems like you forgot to run Ccleaner, so I suggest you run it and click Run Cleaner.

Then, go to start > run and type:

regsvr32 /u occache.dll
Click OK.

Search and delete next files:

C:\Program Files\Internet Explorer\dgfrjvww.exe
C:\stasxx.chm[1.htm]
C:\stasxx.chm[htm2chm_explorer]
C:\WINDOWS\blocklist.reg
C:\WINDOWS\Downloaded Program Files\flash.inf
C:\WINDOWS\Downloaded Program Files\initial.inf
C:\WINDOWS\Downloaded Program Files\VBouncerOuter1123.exe
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\SYSTEM32\mlxjfzmg.dll

Go to start again > run and type regsvr32 occache.dll
Click OK.

It could be possible that this hijacker deleted some files, so check if the following are still present:

°Control.exe: Is in your C:\WINDOWS\system32. Download here when missing.

°Hosts: C:\WINDOWS\SYSTEM32\DRIVERS\ETC .Download here when missing.
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK. Close the program.

°Shell.dll: C:\WINDOWS\SYSTEM32 Download here when missing

°SDHelper.dll:
If you are using Spybot Search & Destroy, this hijacker can also delete SDHelper.dll.
Download SDHelper.dll.
Place the file in the Spybot Search & Destroy-folder. Most probably, this ist C:\Program Files\Spybot - Search & Destroy

Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of the leftovers.
If you don't have those programs yet, you can find the downloadlocations in my sig.

You can find the ewido-log in your C:\Program Files\ewido\security suite\Reports <== folder

Please post this in your next reply and tell me how things are running now. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 AM

Posted 26 July 2005 - 03:08 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users