Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis log can you see a problem with this?


  • Please log in to reply
26 replies to this topic

#1 ultimega

ultimega

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 10 July 2005 - 09:43 AM

Hi, I have a horrible computer which was fine until the webroot spysweeper trial ran out, anyway I ran AVG antivirus to find 2 trojans which it cannot heal because they returned every scan and I have uninstalled it and ignored it since then, recently everything in my computer is lagging all the time on everything, startup, internet etc.

I recently ran my Ad-aware se on full scan it scannned 45,000 files with nothing to find then I ran it the next day on full scan again with nothing to be found...only it read 92,000 files or so, making me inexpliably having 42,000 files more than before with no reason.

Also running Spyware doctor finds a high risk hijacker with adgoogle in the description of the it but cannot remove them at all.
(My brother went onto a inappriote website the other week which installed itself on my computer leaving me to try to get rid of it I believe there's traces of it left within the machine)
Anyway with things getting all like this I decided to turn to hijackthis and bleepingcomputers to see if there is a problem in this area, here's my hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 15:18:13, on 10/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER FOR ICQ\AQMON.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/nf.phtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {9E1EEAA3-1320-45C3-B893-139CC9D824F0} - blank (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\WEBDIR.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\OUTPOST.EXE /waitservice
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\OUTPOST.EXE /service
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\PLUGINS\BROWSERBAR\IE_BAR.DLL
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

I'd be exteremely appreciative if anyone can help solve any problems, thanks.

BC AdBot (Login to Remove)

 


#2 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:09:51 AM

Posted 11 July 2005 - 11:57 AM

Welcome to the forum. Let's see if we can get you cleaned up.

Scan with Hijack This and put a checkmark next to the following entries;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/nf.phtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {9E1EEAA3-1320-45C3-B893-139CC9D824F0} - blank (file missing)
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\WEBDIR.DLL

Close all browsers and windows and click "fix checked".

Please download SilentRunners from here
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see, along with a new Hijack This log, after you restart your computer.

Edited by viccy, 11 July 2005 - 12:01 PM.


#3 ultimega

ultimega
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 11 July 2005 - 06:28 PM

Thanks I did what you said first but when it comes to opening that file I get this error and then click ok and it closes.

Windows Script Host
Script C:\unzipped\silent%20Runners[1]\Silent Runners.vbs
Line 84
Char 13
Error ActiveX component can't create object
Source Microsoft VBScript runtime error
OK

Well I right clicked open with MS DOS I think it was...but it did something and closed almost instantly

here's my next HJT log

Logfile of HijackThis v1.99.1
Scan saved at 00:34:00, on 12/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\OUTPOST.EXE /waitservice
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\OUTPOST.EXE /service
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\PLUGINS\BROWSERBAR\IE_BAR.DLL
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

Edited by ultimega, 12 July 2005 - 06:39 AM.


#4 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:09:51 AM

Posted 11 July 2005 - 09:30 PM

Please download the free MWAV antivirus tool from here:
ftp://ftp.microworldsystems.com/download/tools/mwav.exe
Save it to the desktop and run it. Follow the prompts to scan your system for viruses. Then please post for me the log of infected files from the BOTTOM panel of the scan window.

#5 ultimega

ultimega
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 12 July 2005 - 06:50 AM

Here was the most effective scan...

Edited by ultimega, 12 July 2005 - 07:14 AM.


#6 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:09:51 AM

Posted 12 July 2005 - 07:54 AM

Could you post the log from the scan and a new Hijack This log.

#7 ultimega

ultimega
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 12 July 2005 - 09:12 AM

Ouch it was running over 2 hours then I closed lots of things in task manager and 1 thing that I think made it scan properly and now everything is scanning as a failure, but here is the correct log of the microworld antivirus

Entry "HKCR\CLSID\{4E8512FC-7582-4F06-AF2A-8856F4755945}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B317C9D1-FD02-4AAE-A4BB-9DF12104E4CC}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BE265956-6F5F-4790-9CAB-EDFAC64362EF}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5951EEA0-B2AB-42B5-9E4E-AF1917F808D1}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{77B03170-94FB-4822-ADFC-B7FDCBECA031}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2C57255A-4040-4CD5-9D82-C2C6121AB09C}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{63EACA8B-EDCF-44CE-8B9D-0B44EB06C71B}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1F75D9C9-0CDB-4ED0-9B41-4230715DAF5A}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\webdir.WebDirObj.1" refers to invalid object "{C003C49F-53E4-4A72-B7D6-0B2B9997392F}". Action Taken: No Action Taken.
Entry "HKCR\webdir.WebDirObj" refers to invalid object "{C003C49F-53E4-4A72-B7D6-0B2B9997392F}". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\BO2804040128.exe tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\msqsb.dll tagged as "not-a-virus:AdWare.ToolBar.Neon.a". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0001368.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\_RESTORE\TEMP\A0002791.CPY infected by "Trojan-Downloader.Win32.Small.aix" Virus! Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0002793.CPY infected by "Trojan.Win32.Dialer.cs" Virus! Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0004123.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\_RESTORE\TEMP\A0013309.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\_RESTORE\TEMP\A0051620.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Edited by ultimega, 12 July 2005 - 09:13 AM.


#8 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:09:51 AM

Posted 12 July 2005 - 09:44 AM

Please download CCleaner from here:
http://www.ccleaner.com
Install and run it, and clean out your Temporary and Temporary Internet Files (as well as anything else you may want to clean out.)

You can also go to "Tools" and look at your startup list, and remove some of the programs that are not necessary at startup. If you are unsure, I can review the list with you.

Then, try running MWAV again and post the log and another Hijack This log

#9 ultimega

ultimega
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 12 July 2005 - 09:58 AM

Startup programs I am unsure of

LoadPowerProfile Rundll32.exe powerprof.dll,LoadCurrentPwrScheme
LoadQM loadqm.exe

#10 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:09:51 AM

Posted 12 July 2005 - 09:33 PM

This one isn't necessary:
LoadQM loadqm.exe

#11 ultimega

ultimega
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 13 July 2005 - 06:22 AM

MWAV short scan (ong scan takes over 3 hours but finds the 2 trojan viruses)

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{700B1221-CAFF-11d1-B9DE-000000001B1B}" refers to invalid object "atippaxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E62DCD80-C262-11d1-A419-006097923041}" refers to invalid object "atipdsxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2EADFE65-C751-11D1-A636-0000E8DB1EA2}" refers to invalid object "atipdaxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F2B8E361-D2E2-11D1-A41F-00609729B902}" refers to invalid object "atipuixx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EBB5845F-CA80-11CF-BD3C-008029E89281}" refers to invalid object "atitvo32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C0BFD429-AAD4-42E1-94F2-BD5278AC0648}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A98ABF1C-107C-44E7-9254-2C3FF435D0C2}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EBAEC922-7E76-4810-916B-0BA857CCAAF0}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C3774B55-7A70-4E75-8CA5-D6C28BED3250}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1816E619-9C2E-4C78-8454-0B091AF3D558}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D04D1B9A-A250-4B67-B2C5-BC52C44CBA30}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D7A33115-15EF-489E-8224-391AB35B51F2}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7B0E53F2-3D1A-4FC6-B6FE-EB58DA0D7D55}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8D89DE79-193D-40C1-85E6-D44E87FDDD12}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E0D2EF10-900F-4EF5-A25D-0D9F173E670D}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{23DD867B-1FE6-4AD8-83AE-77A26AF6B881}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F613A9F6-4A41-492E-B74E-DF606B5B43C2}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{86D5AF77-1220-4D8D-B235-CB7BDBA454F9}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4139ED31-17E0-4433-BA2F-0BD18E7EE475}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E5F75043-D1CD-4008-BF15-0C9AA0AD5A10}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B537780F-575D-4470-AD17-B622370232E7}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6E146F5B-5D78-4FA5-A2DB-77179407FB09}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4E8512FC-7582-4F06-AF2A-8856F4755945}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B317C9D1-FD02-4AAE-A4BB-9DF12104E4CC}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BE265956-6F5F-4790-9CAB-EDFAC64362EF}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5951EEA0-B2AB-42B5-9E4E-AF1917F808D1}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{77B03170-94FB-4822-ADFC-B7FDCBECA031}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2C57255A-4040-4CD5-9D82-C2C6121AB09C}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{63EACA8B-EDCF-44CE-8B9D-0B44EB06C71B}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1F75D9C9-0CDB-4ED0-9B41-4230715DAF5A}" refers to invalid object "blank". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\BO2804040128.exe tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\msqsb.dll tagged as "not-a-virus:AdWare.ToolBar.Neon.a". Action Taken: No Action Taken.

HJT Log


Logfile of HijackThis v1.99.1
Scan saved at 12:24:23, on 13/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\OUTPOST.EXE /waitservice
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\OUTPOST.EXE /service
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\PLUGINS\BROWSERBAR\IE_BAR.DLL
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O19 - User stylesheet: C:\My Documents\neopets.css

#12 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:09:51 AM

Posted 13 July 2005 - 06:32 AM

It's looking better.

Just a few more things and we will be done.

Download and install Registrar Lite
  • Start RegLite
  • Navigate to the hkey_local_machine\software\altnet registry key.
  • Try deleting the key.
Note: If you have trouble deleting the key. Click once on the key name to highlight it and click on the Security menu option and then the Edit Permissions item. Then Uncheck Allow inheritible permissions, click on Everyone in the uppder box and put a checkmark in Full control in the lower box. Click the Apply button and then the Ok button and attempt to delete the key again.

Next, please run full scans with Ad-Aware SE and Spybot-S&D as follows:
(If you already have Ad-Aware SE 1.06 and Spybot 1.4 installed, you can skip the installation steps. If you don't, please uninstall your old versions and install the new ones from the links below.)

Full Ad-Aware Scan
Please download Ad-Aware SE from here
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.

Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.


Spybot Full Scan
Next, please download Spybot-S&D from here
Install Spybot-S&D and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D, and then run it again. Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems". Then please restart your computer again.

Let me know what happened and post a new Hijackthis log file back here.

#13 ultimega

ultimega
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 14 July 2005 - 01:49 AM

Did everything in the Ad-aware SE thing except this wouldn't let me change it

2) During removal, unload Explorer and IE if necessary

Nothing was found in the Ad-aware scan except for negiligble HKEY

Search and destroy found one telcom thing and cleared it.

Registrar I could'nt find the 'altnet' hkey even though I went in the the local machine the software...too many folders too search through...

#14 ultimega

ultimega
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 14 July 2005 - 01:52 AM

MWAV FULL SCAN took almost 6 hours to scan!

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{700B1221-CAFF-11d1-B9DE-000000001B1B}" refers to invalid object "atippaxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E62DCD80-C262-11d1-A419-006097923041}" refers to invalid object "atipdsxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2EADFE65-C751-11D1-A636-0000E8DB1EA2}" refers to invalid object "atipdaxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F2B8E361-D2E2-11D1-A41F-00609729B902}" refers to invalid object "atipuixx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EBB5845F-CA80-11CF-BD3C-008029E89281}" refers to invalid object "atitvo32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C0BFD429-AAD4-42E1-94F2-BD5278AC0648}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A98ABF1C-107C-44E7-9254-2C3FF435D0C2}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EBAEC922-7E76-4810-916B-0BA857CCAAF0}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C3774B55-7A70-4E75-8CA5-D6C28BED3250}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1816E619-9C2E-4C78-8454-0B091AF3D558}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D04D1B9A-A250-4B67-B2C5-BC52C44CBA30}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D7A33115-15EF-489E-8224-391AB35B51F2}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7B0E53F2-3D1A-4FC6-B6FE-EB58DA0D7D55}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8D89DE79-193D-40C1-85E6-D44E87FDDD12}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E0D2EF10-900F-4EF5-A25D-0D9F173E670D}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{23DD867B-1FE6-4AD8-83AE-77A26AF6B881}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F613A9F6-4A41-492E-B74E-DF606B5B43C2}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{86D5AF77-1220-4D8D-B235-CB7BDBA454F9}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4139ED31-17E0-4433-BA2F-0BD18E7EE475}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E5F75043-D1CD-4008-BF15-0C9AA0AD5A10}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B537780F-575D-4470-AD17-B622370232E7}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6E146F5B-5D78-4FA5-A2DB-77179407FB09}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4E8512FC-7582-4F06-AF2A-8856F4755945}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B317C9D1-FD02-4AAE-A4BB-9DF12104E4CC}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BE265956-6F5F-4790-9CAB-EDFAC64362EF}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5951EEA0-B2AB-42B5-9E4E-AF1917F808D1}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{77B03170-94FB-4822-ADFC-B7FDCBECA031}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2C57255A-4040-4CD5-9D82-C2C6121AB09C}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{63EACA8B-EDCF-44CE-8B9D-0B44EB06C71B}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1F75D9C9-0CDB-4ED0-9B41-4230715DAF5A}" refers to invalid object "blank". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\BO2804040128.exe tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\msqsb.dll tagged as "not-a-virus:AdWare.ToolBar.Neon.a". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0001368.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\_RESTORE\TEMP\A0002791.CPY infected by "Trojan-Downloader.Win32.Small.aix" Virus! Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0002793.CPY infected by "Trojan.Win32.Dialer.cs" Virus! Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0004123.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\_RESTORE\TEMP\A0013309.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\_RESTORE\TEMP\A0051620.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\_RESTORE\TEMP\A0069036.CPY tagged as "not-a-virus:AdWare.Webdir.a". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MACROMED\Shockwave 8\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\MACROMED\Shockwave 10\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\BO2804040128.exe tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\msqsb.dll tagged as "not-a-virus:AdWare.ToolBar.Neon.a". Action Taken: No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Agnitum\Outpost Firewall\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Registrar Lite\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Recycled\Q330995.exe infected by "Trojan.Win32.Small.bb" Virus! Action Taken: No Action Taken.
File C:\1-2-3-TIN2.exe infected by "Trojan.Win32.Dialer.cs" Virus! Action Taken: No Action Taken.
File C:\unzipped\hijackthis[1]\backups\backup-20050712-002249-289.dll tagged as "not-a-virus:AdWare.Webdir.a". Action Taken: No Action Taken.
File C:\q428649.exe infected by "Trojan-Downloader.Win32.Agent.kg" Virus! Action Taken: No Action Taken.
File C:\q900665.exe infected by "Trojan-Downloader.Win32.Small.amb" Virus! Action Taken: No Action Taken.
File C:\q539093.exe infected by "Trojan-Downloader.Win32.Small.amb" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MACROMED\Shockwave 8\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\MACROMED\Shockwave 10\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\BO2804040128.exe tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\msqsb.dll tagged as "not-a-virus:AdWare.ToolBar.Neon.a". Action Taken: No Action Taken.

31 Viruses
352 Errors :thumbsup:

#15 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:09:51 AM

Posted 15 July 2005 - 08:38 AM

Be sure you have the latest version of Ccleaner. You will see a button on the left hand side of the menu that says "Issues". Click on that to clean up your registry, and then choose "Scan for issues", then "Fix selected issues". Be sure to select all.

Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder.

Do Start->Control Panel->System, System restore. Tick "Turn off System Restore" and reboot. That will erase all restore points.
After reboot, go back in and turn System Restore back on.

Please run the Housecall online virus scan located at:
http://housecall.trendmicro.com/housecall/start_corp.asp
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please restart your computer.

Then please run the Panda scan here:
http://www.pandasoftware.com/products/acti...n_principal.htm
Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and restart your computer.

Finally, please run the WindowSecurity trojan scan here:
http://www.windowsecurity.com/trojanscan/
Remove any trojans found, and restart your computer.

Post a new Hijack This log. Be sure to let me know if you get any messages about not being able to delete or fix any viruses or trojans found.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users