Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multi Viruses and Spyware and Dialers....Help!


  • This topic is locked This topic is locked
10 replies to this topic

#1 Luciddreamer92

Luciddreamer92

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 17 August 2005 - 11:13 AM

[FONT=Times]

Hi All,

Here's my problem and it aint pretty! :thumbsup::flowers: A few days ago we brought my computer out again to use (after having been away for 9 months) and my daughter used messenger and also in general web browsing the computer has come down with multiple.....like 72 viruses and 100's of Spyware and 17 odd Dialers!!

We hadn't updated all the patches since 9 months back and I guess that's how they got in and the restore point was tried but didn't work and now has them on it anyways.

Things like W32 Kelvir, W32 Spybot Worm, Trojan Adclicker, Trojan Desktophia and Trojan Stwoyle are just to name a very select few, we few we unhappy few, we band of 'mothers' I would say as I have tried going into safe mode and following instructions that have got me through these things before but not this BIG!

Here's my Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:02:58 AM, on 18/08/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\BALL BIN PEAK\DENTLOCKS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtramsn.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtramsn.co.nz/
R3 - Default URLSearchHook is missing
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: Ante for - {395232C6-3C62-D7DE-FD48-609D0857E72E} - C:\PROGRAM FILES\EXIT TEAM CDROM\FLAWFLAP.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: LIVE SIZE - {E345D324-72DA-CB65-8C5D-DEF0AB92C7DC} - C:\PROGRAM FILES\EXIT TEAM CDROM\FLAWFLAP.DLL (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: xtramsn Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-NZ\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [Update Local] C:\Windows\SETCPQLC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [stoplite] C:\PROGRA~1\Ball bin peak\dentlocks.exe
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT113779.EXE -auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [winbas12] C:\PROGRAM FILES\WINBAS12.exe
O4 - HKLM\..\Run: [Windows ExpIorer] WRYYZFEMM.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Windows ExpIorer] WRYYZFEMM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunOnce: [panda cleaner] C:\WINDOWS\pavdr.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: BJ PRINTER STATUS MONITOR.LNK = C:\WINDOWS\SYSTEM\CJSTSR.EXE
O4 - Startup: DLHELPEREXE.EXE
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\Q244902_DISK.DLL (file missing)


AND MY TREND FILE:


Incident Status Location

Adware:Adware/Lop No disinfected C:\PROGRAM FILES\BALL BIN PEAK\DENTLOCKS.EXE
Adware:adware/funweb No disinfected C:\WINDOWS\SYSTEM\Popular Screensavers.scr
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\BIG.INF
Adware:adware/sidesearch No disinfected C:\WINDOWS\APPLICATION DATA\Lycos
Spyware:spyware/cydoor No disinfected C:\WINDOWS\cache277
Adware:adware/ezula No disinfected Windows Registry
Virus:W32/Kelvir.CS.worm Disinfected C:\_RESTORE\TEMP\A0265209.CPY
Virus:W32/Sdbot.EOQ.worm Disinfected C:\_RESTORE\TEMP\WRYYZF~1.0
Virus:Trojan Horse Disinfected C:\_RESTORE\TEMP\WINBAS12.0
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0265799.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0265810.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0265819.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0265831.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\A0266786.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0285103.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\A0285112.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0285125.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\UNINSTIU.0
Adware:Adware/SideSearch No disinfected C:\_RESTORE\TEMP\A0285204.0
Adware:Adware/Lop No disinfected C:\_RESTORE\TEMP\A0285205.0
Adware:Adware/NetPals No disinfected C:\_RESTORE\TEMP\A0285206.0
Adware:Adware/nCase No disinfected C:\_RESTORE\TEMP\A0285207.0
Adware:Adware/Transponder No disinfected C:\_RESTORE\TEMP\A0285208.0
Adware:Adware/SAHAgent No disinfected C:\_RESTORE\TEMP\A0285209.0
Adware:Adware/SideSearch No disinfected C:\_RESTORE\TEMP\A0285210.0
Virus:Trj/Downloader.CHU Disinfected C:\_RESTORE\TEMP\A0285211.0
Adware:Adware/SAHAgent No disinfected C:\_RESTORE\TEMP\A0285212.0
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\A0285213.0
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\A0285214.0
Spyware:Spyware/Cydoor No disinfected C:\_RESTORE\TEMP\A0285215.0
Adware:Adware/SAHAgent No disinfected C:\_RESTORE\TEMP\A0285217.CPY
Adware:Adware/AdDestroyer No disinfected C:\_RESTORE\TEMP\A0285219.0
Adware:Adware/AdDestroyer No disinfected C:\_RESTORE\TEMP\A0285220.0
Adware:Adware/AdDestroyer No disinfected C:\_RESTORE\TEMP\A0285221.0
Adware:Adware/AdDestroyer No disinfected C:\_RESTORE\TEMP\A0285222.0
Adware:Adware/KeenValue No disinfected C:\_RESTORE\TEMP\A0285223.CPY
Virus:W32/Ehijack.A.worm Disinfected C:\_RESTORE\TEMP\MSMSGS.0
Adware:Adware/nCase No disinfected C:\_RESTORE\TEMP\FS1592.0[A0244379.CPY]
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\TEMP\FS846.0[A0126113.CPY]
Adware:Adware/KeenValue No disinfected C:\_RESTORE\TEMP\FS846.0[A0126123.CPY]
Dialer:Dialer.B No disinfected C:\_RESTORE\TEMP\FS882.0[A0135354.CPY]
Dialer:Dialer.QY No disinfected C:\_RESTORE\TEMP\FS882.0[A0135358.CPY]
Dialer:Dialer.JI No disinfected C:\_RESTORE\TEMP\FS882.0[A0135373.CPY]
Dialer:Dialer.DF No disinfected C:\_RESTORE\TEMP\FS882.0[A0135379.CPY]
Dialer:Dialer.QY No disinfected C:\_RESTORE\TEMP\FS882.0[A0135388.CPY]
Spyware:Spyware/Cydoor No disinfected C:\_RESTORE\TEMP\FS1242.0[A0199196.CPY]
Virus:Trj/Downloader.L No disinfected C:\_RESTORE\TEMP\FS1205.0[A0195590.CPY]
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\TEMP\FS1205.0[A0195599.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195396.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195397.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195398.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195399.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195400.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195401.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195402.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195403.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195404.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195407.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195412.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195418.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195427.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195428.CPY]
Adware:Adware/KeenValue No disinfected C:\_RESTORE\TEMP\FS1204.0[A0195501.CPY]
Adware:Adware/KeenValue No disinfected C:\_RESTORE\TEMP\FS1201.0[A0195125.CPY]
Adware:Adware/KeenValue No disinfected C:\_RESTORE\TEMP\FS1201.0[A0195130.CPY]
Adware:Adware/KeenValue No disinfected C:\_RESTORE\TEMP\FS1201.0[A0195135.CPY]
Adware:Adware/KeenValue No disinfected C:\_RESTORE\TEMP\FS1201.0[A0195137.CPY]
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\TEMP\FS1091.0[W0219402.CPY]
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\TEMP\FS1089.0[A0183925.CPY]
Adware:Adware/VirtualBouncer No disinfected C:\_RESTORE\TEMP\A0288623.CPY
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\TEMP\A0288625.CPY
Adware:Adware/MyWebSearch No disinfected C:\_RESTORE\TEMP\A0288628.CPY
Dialer:Dialer.JI No disinfected C:\_RESTORE\ARCHIVE\FS1099.CAB[A0184811.CPY]
Dialer:Dialer.B No disinfected C:\_RESTORE\ARCHIVE\FS1099.CAB[A0184812.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\ARCHIVE\FS1203.CAB[A0195288.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\ARCHIVE\FS1203.CAB[A0195292.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\ARCHIVE\FS1203.CAB[A0195294.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\ARCHIVE\FS1203.CAB[A0195385.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\ARCHIVE\FS1203.CAB[A0195386.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\ARCHIVE\FS1203.CAB[A0195387.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\ARCHIVE\FS1203.CAB[A0195388.CPY]
Adware:Adware/Gator No disinfected C:\_RESTORE\ARCHIVE\FS1203.CAB[A0195389.CPY]
Virus:W32/Kelvir.CS.worm No disinfected C:\_RESTORE\ARCHIVE\FS1713.CAB[A0262326.CPY]
Virus:W32/Ehijack.A.worm No disinfected C:\_RESTORE\ARCHIVE\FS1732.CAB[W0319801.CPY]
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\ARCHIVE\FS1706.CAB[A0262009.CPY]
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\ARCHIVE\FS1706.CAB[A0262010.CPY]
Adware:Adware/nCase No disinfected C:\_RESTORE\ARCHIVE\FS1706.CAB[A0262011.CPY]
Adware:Adware/eZula No disinfected C:\_RESTORE\ARCHIVE\FS1706.CAB[A0262014.CPY]
Adware:Adware/SideSearch No disinfected C:\_RESTORE\ARCHIVE\FS1706.CAB[A0262019.CPY]
Virus:Trojan Horse No disinfected C:\_RESTORE\ARCHIVE\FS1706.CAB[A0262020.CPY]
Adware:Adware/nCase No disinfected C:\_RESTORE\ARCHIVE\FS1706.CAB[A0262022.CPY]
Virus:W32/Sdbot.EOQ.worm No disinfected C:\_RESTORE\ARCHIVE\FS1717.CAB[A0263319.CPY]
Virus:Trojan Horse No disinfected C:\_RESTORE\ARCHIVE\FS1717.CAB[A0263361.CPY]
Virus:W32/Sdbot.EOQ.worm No disinfected C:\_RESTORE\ARCHIVE\FS1717.CAB[A0263375.CPY]
Virus:Trojan Horse No disinfected C:\_RESTORE\ARCHIVE\FS1717.CAB[A0263387.CPY]
Virus:W32/Kelvir.CS.worm No disinfected C:\_RESTORE\ARCHIVE\FS1717.CAB[A0263395.CPY]
Virus:W32/Kelvir.CS.worm No disinfected C:\_RESTORE\ARCHIVE\FS1717.CAB[A0263404.CPY]
Virus:Trj/Rameh.A No disinfected C:\_RESTORE\ARCHIVE\FS885.CAB[A0136860.CPY]
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\ARCHIVE\FS1586.CAB[A0242632.CPY]
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\ARCHIVE\FS1586.CAB[A0242633.CPY]
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\ARCHIVE\FS1586.CAB[A0242679.CPY]
Adware:Adware/nCase No disinfected C:\_RESTORE\ARCHIVE\FS1586.CAB[A0242680.CPY]
Adware:Adware/eZula No disinfected C:\_RESTORE\ARCHIVE\FS1586.CAB[A0242780.CPY]
Adware:Adware/SideSearch No disinfected C:\_RESTORE\ARCHIVE\FS1587.CAB[A0242804.CPY]
Virus:Trojan Horse No disinfected C:\_RESTORE\ARCHIVE\FS1587.CAB[A0242837.CPY]
Virus:W32/Sdbot.EOQ.worm No disinfected C:\_RESTORE\ARCHIVE\FS1690.CAB[A0258360.CPY]
Virus:W32/Kelvir.CS.worm No disinfected C:\_RESTORE\ARCHIVE\FS1691.CAB[A0259308.CPY]
Virus:W32/Sdbot.EOQ.worm No disinfected C:\_RESTORE\ARCHIVE\FS1703.CAB[W0312558.CPY]
Virus:W32/Kelvir.CS.worm No disinfected C:\_RESTORE\ARCHIVE\FS1694.CAB[A0261317.CPY]
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\c54bGs.dll
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\bi3.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM\BO2804040128.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\BIG.INF
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\BI3.INF
Adware:Adware/Lop No disinfected C:\WINDOWS\TEMP\pav31D0.TMP
Adware:Adware/PsGuard No disinfected C:\WINDOWS\TEMP\pavA0A7.TMP
Adware:Adware/SideSearch No disinfected C:\WINDOWS\TEMP\pavA126.TMP
Adware:Adware/Lop No disinfected C:\WINDOWS\TEMP\pavA127.TMP
Adware:Adware/NetPals No disinfected C:\WINDOWS\TEMP\pavA135.TMP
Adware:Adware/nCase No disinfected C:\WINDOWS\TEMP\pavA140.TMP
Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\pavA141.TMP
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\TEMP\pavA143.TMP
Adware:Adware/SideSearch No disinfected C:\WINDOWS\TEMP\pavA145.TMP
Virus:Trj/Downloader.CHU Disinfected C:\WINDOWS\TEMP\pavA150.TMP
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\TEMP\pavA152.TMP
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA153.TMP
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA156.TMP
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\TEMP\pavA163.TMP
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\TEMP\pavA165.TMP
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\TEMP\pavA170.TMP
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\TEMP\pavA171.TMP
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\TEMP\pavA172.TMP
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\TEMP\pavA173.TMP
Adware:Adware/KeenValue No disinfected C:\WINDOWS\TEMP\pavA174.TMP
Virus:W32/Ehijack.A.worm Disinfected C:\WINDOWS\TEMP\pavA180.TMP
Adware:Adware/nCase No disinfected C:\WINDOWS\TEMP\pavA184.TMP[A0244379.CPY]
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\pavA191.TMP[A0126113.CPY]
Adware:Adware/KeenValue No disinfected C:\WINDOWS\TEMP\pavA191.TMP[A0126123.CPY]
Dialer:Dialer.B No disinfected C:\WINDOWS\TEMP\pavA193.TMP[A0135354.CPY]
Dialer:Dialer.QY No disinfected C:\WINDOWS\TEMP\pavA193.TMP[A0135358.CPY]
Dialer:Dialer.JI No disinfected C:\WINDOWS\TEMP\pavA193.TMP[A0135373.CPY]
Dialer:Dialer.DF No disinfected C:\WINDOWS\TEMP\pavA193.TMP[A0135379.CPY]
Dialer:Dialer.QY No disinfected C:\WINDOWS\TEMP\pavA193.TMP[A0135388.CPY]
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\TEMP\pavA1A3.TMP[A0199196.CPY]
Virus:Trj/Downloader.L No disinfected C:\WINDOWS\TEMP\pavA1B3.TMP[A0195590.CPY]
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\pavA1B3.TMP[A0195599.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195396.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195397.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195398.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195399.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195400.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195401.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195402.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195403.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195404.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195407.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195412.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195418.CPY]
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\pavA1C1.TMP[A0195427.CPY]

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:47 AM

Posted 20 August 2005 - 09:03 AM

Hello Luciddreamer92 and welcome to the BC HijackThis forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: Ante for - {395232C6-3C62-D7DE-FD48-609D0857E72E} - C:\PROGRAM FILES\EXIT TEAM CDROM\FLAWFLAP.DLL (file missing)
O3 - Toolbar: LIVE SIZE - {E345D324-72DA-CB65-8C5D-DEF0AB92C7DC} - C:\PROGRAM FILES\EXIT TEAM CDROM\FLAWFLAP.DLL (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O4 - HKLM\..\Run: [Update Local] C:\Windows\SETCPQLC.EXE
O4 - HKLM\..\Run: [stoplite] C:\PROGRA~1\Ball bin peak\dentlocks.exe
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT113779.EXE -auto
O4 - HKLM\..\Run: [winbas12] C:\PROGRAM FILES\WINBAS12.exe
O4 - HKLM\..\Run: [Windows ExpIorer] WRYYZFEMM.EXE
O4 - HKLM\..\RunServices: [Windows ExpIorer] WRYYZFEMM.EXE
O4 - Startup: DLHELPEREXE.EXE
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\Q244902_DISK.DLL (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\PROGRAM FILES\FLASHGET\ <--folder
C:\PROGRAM FILES\EXIT TEAM CDROM\ <--folder
C:\PROGRAM FILES\Ball bin peak\ <--folder
C:\PROGRAM FILES\WEBSX\ <--folder
C:\PROGRAM FILES\WINBAS12.exe
C:\Windows\SETCPQLC.EXE
C:\WINDOWS\Q244902_DISK.DLL

Now perform a search for these files and delete all instances.WRYYZFEMM.EXE
DLHELPEREXE.EXE

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Luciddreamer92

Luciddreamer92
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 20 August 2005 - 07:27 PM

[FONT=Times][SIZE=1]

Thanks Old timer for your help to-date it is really appreciated when there is such excellent help available..........I take my hat off to you guys fighting the malware, viruses and other mindless things that idiots want to put on our systems!
You do a sterling job and are to be congratulated.

Now I have done as you outlined up until running RAV where I found I still had three infections, one being a dialer, the other a trojan and something else anyways I had to manually delete them and hope I didn't take out too many files with them as I have winzip and couldn't see another way of getting em without taking the files.

The Bitdefender scan is now clear as is the Rav (the 2nd time around) and Ad-Aware threw up the same two things that Norton keeps saying it's fixed although I cannot open Norton in ANY way except to see other things or scan independantly anyway it won't open to the front page!
The two things in quarantine in Norton and that keep coming back are A058360.CPY W32 Spybot Worm and AO259308.CPY W32Kelvir both in Windows Temp.

The computer works but at times it drops offline and feels like it's being used (hijacked) at times as the dial-up seems strange when it shows it's online it's offline and vica-versa.

I enclose my HijackThis Scan below and hope you can see an answer to the other problems but thanks for taking so much off my system already.

Many Thanks,


Pete

Logfile of HijackThis v1.99.1
Scan saved at 10:10:30 AM, on 21/08/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\OPSCAN.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtramsn.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtramsn.co.nz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: xtramsn Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-NZ\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: BJ PRINTER STATUS MONITOR.LNK = C:\WINDOWS\SYSTEM\CJSTSR.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:47 AM

Posted 20 August 2005 - 09:49 PM

Hi Luciddreamer92. There is nothing in this log. It is now clean. Let's try a different scanner and see what it shows us.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Luciddreamer92

Luciddreamer92
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 21 August 2005 - 05:33 AM

[FONT=Times][SIZE=1]

Thanks,

I followed the intrustions but the WinPFind.zip scan took so long that it froze each time.....I tired it 6-7 times but ended up getting 3/4 of the way down the page and then not responding anymore!

Anyways here's my latest HiJackThis Log and I did a Norton Scan which came up with more spyware.........seems it always does this time C:\WINDOWS\SYSTEM\BO2804040128.exe which was quarantined and another one C:\ProgramFilesld98008w.exe which was a dialler I think that I had to erase myself.

I hope this helps as every scan I do has these same things that need wiping again and again.........as ever thanks for your assistance :thumbsup:

PS: ADAware is now down to tracking cookies only which I delete.........just 2 this time!

Here's the HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:08:33 PM, on 21/08/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtramsn.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtramsn.co.nz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: xtramsn Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-NZ\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: BJ PRINTER STATUS MONITOR.LNK = C:\WINDOWS\SYSTEM\CJSTSR.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:47 AM

Posted 21 August 2005 - 10:45 AM

Hi Luciddreamer92. This log is clean just like the previous log. If there is anything on the system it is not showing in the HijackThis log.

Let's try a scan with a program called a-squared (a2). Go to this link: http://www.emsisoft.com/en/software/download/ and download the 'a-squared Free' verison. Install the program, update it and then run a full scan. Post the log back here and I'll take a look at it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Luciddreamer92

Luciddreamer92
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 August 2005 - 12:39 PM

[FONT=Arial][SIZE=1]

Hi Oldtimer and thanks for your quick reply.
I did your scan which returned No Malware........a good sign I reckon but My Ad-Aware scan keeps returning Malware and nasties...
Here's my Ad-Aware log, sorry it's sooo long thou Thanks in advance,

Pete :thumbsup:


Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, 23 August 2005 3:12:42 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R62 17.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Malware.Psguard(TAC index:7):2 total references
MRU List(TAC index:0):3 total references
Tracking Cookie(TAC index:3):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


23-08-2005 3:12:42 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279220259
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294966867
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [SPOOL32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294964859
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294838235
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [MSTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294869675
Threads : 2
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:6 [STIMON.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294901619
Threads : 5
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:7 [KB891711.EXE]
FilePath : C:\WINDOWS\SYSTEM\KB891711\
ProcessID : 4294782235
Threads : 1
Priority : Normal
FileVersion : 4.10.2223
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows KB891711 component
InternalName : KB891711
LegalCopyright : Copyright © Microsoft Corp. 1991-2005
OriginalFilename : KB891711.EXE

#:8 [CCEVTMGR.EXE]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294799719
Threads : 21
Priority : Normal
FileVersion : 2.1.7.2
ProductVersion : 2.1.7.2
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:9 [CCSETMGR.EXE]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294797007
Threads : 5
Priority : Normal
FileVersion : 2.1.7.2
ProductVersion : 2.1.7.2
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:10 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294790043
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:11 [TASKMON.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294654711
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:12 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294670779
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:13 [STMGR.EXE]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294656779
Threads : 5
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft ® PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:14 [HIDSERV.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294649443
Threads : 3
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : HIDSERV.EXE

#:15 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294680615
Threads : 3
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:16 [CPQEADM.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\
ProcessID : 4294661923
Threads : 1
Priority : Normal
FileVersion : 6.00.007
ProductVersion : 6.00.007
ProductName : Compaq Easy Access Button Support
CompanyName : Compaq Computer Corporation
FileDescription : Easy Access Software Demon
InternalName : CPQEADM
LegalCopyright : Copyright © 2000
OriginalFilename : CPQEADM.exe

#:17 [CPQINET.EXE]
FilePath : C:\COMPAQ\CPQINET\
ProcessID : 4294692691
Threads : 3
Priority : Normal
FileVersion : 3, 0, 2, 7
ProductVersion : 2, 2, 0, 0
ProductName : CPQINET
CompanyName : Compaq Computer Corporation
FileDescription : CPQInet
InternalName : CPQInet
LegalCopyright : Copyright © 2000, 2001
LegalTrademarks : All Rights Reserved
OriginalFilename : CPQInet.exe
Comments : Compaq Internet Runtime Service

#:18 [DEVGULP.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\
ProcessID : 4294605967
Threads : 2
Priority : Normal
FileVersion : 1, 3, 4, 0
ProductVersion : 1, 3, 4, 0
ProductName : Digital Dashboard (LCD) Support Software
CompanyName : Compaq Computer Corporation
FileDescription : Device Detective & Internet Alive
InternalName : DevGulp
LegalCopyright : Copyright Compaq Computer Corporation, 1999-2000
LegalTrademarks : Compaq
OriginalFilename : DevGulp.EXE
Comments : Device Detective & Internet Alive

#:19 [BTTNSERV.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\
ProcessID : 4294600651
Threads : 5
Priority : Normal
FileVersion : 4.00.061
ProductVersion : 4.00.061
ProductName : BttnServ Module
CompanyName : Compaq Computer Corporation
FileDescription : Button Server
InternalName : BttnServ
LegalCopyright : Copyright 1997-1999 Compaq Computer Corporation
OriginalFilename : BttnServ.exe
Comments : 4.00.061

#:20 [SCCENTER.EXE]
FilePath : C:\CPQS\BWTOOLS\
ProcessID : 4294619075
Threads : 2
Priority : Normal
FileVersion : 1, 0, 0, 15
ProductVersion : 1, 0, 0, 15
ProductName : SCCenter Module
CompanyName : Compaq Computer Corporation
FileDescription : SCCenter Module
InternalName : SCCenter
LegalCopyright : Copyright 1999
LegalTrademarks : All rights reserved
OriginalFilename : SCCenter.EXE

#:21 [LOADQM.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294630643
Threads : 3
Priority : Normal
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
ProductName : QMgr Loader
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : LOADQM.EXE

#:22 [QTTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294517171
Threads : 2
Priority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:23 [EAUSBKBD.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\
ProcessID : 4294510803
Threads : 7
Priority : Normal
FileVersion : 6.00.116
ProductVersion : 6.00.116
ProductName : Compaq Easy Access Keyboard Support Software
CompanyName : Compaq Computer Corporation
FileDescription : Compaq Easy Access USB Keyboard Driver
InternalName : EAUSBKBD
LegalCopyright : Copyright © 1999-2000 Compaq Computer Corporation
OriginalFilename : EAUSBKBD.EXE
Comments : VA

#:24 [SYMLCSVC.EXE]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\
ProcessID : 4294538403
Threads : 1
Priority : Normal
FileVersion : 1, 8, 48, 79
ProductVersion : 1, 8, 48, 79
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:25 [CCAPP.EXE]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294527063
Threads : 20
Priority : Normal
FileVersion : 2.1.7.2
ProductVersion : 2.1.7.2
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:26 [WKCALREM.EXE]
FilePath : C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\
ProcessID : 4294487459
Threads : 2
Priority : Normal
FileVersion : 5.00.1928.1
ProductVersion : 5.00.1928.1
ProductName : Microsoft® Works 2000
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Calendar Reminder Service
InternalName : WkCalRem
LegalCopyright : © 1999 Microsoft Corp. All rights reserved.
OriginalFilename : WKCALREM.EXE

#:27 [WZQKPICK.EXE]
FilePath : C:\PROGRAM FILES\WINZIP\
ProcessID : 4294481323
Threads : 1
Priority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 9.0 (6224)
ProductName : WinZip
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2004 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English

#:28 [IEXPLORE.EXE]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294400247
Threads : 1
Priority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:29 [RNAAPP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294450343
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
LegalCopyright : Copyright © Microsoft Corp. 1992-1996
OriginalFilename : RNAAPP.EXE

#:30 [TAPISRV.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294443507
Threads : 5
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Windows™ Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright © Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE

#:31 [DDHELP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279203347
Threads : 3
Priority : Realtime
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
ProductName : Microsoft® DirectX for Windows®
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2002
OriginalFilename : DDHelp.exe

#:32 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294331095
Threads : 18
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:33 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294435895
Threads : 2
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 4


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:default@tribalfusion.com/
Expires : 1-01-2038 10:00:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:default@fastclick.net/
Expires : 23-08-2007 3:08:24 AM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@casalemedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:default@casalemedia.com/
Expires : 20-09-2005 5:03:48 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@z1.adserver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:default@z1.adserver.com/
Expires : 21-08-2006 9:03:56 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 8



Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\default@tribalfusion[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\default@fastclick[2].txt

Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Deep scanning and examining files (d:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for d:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.Psguard Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\desktop\general
Value : Wallpaper

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 11

3:21:36 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:08:54.100
Objects scanned:63302
Objects identified:8
Objects ignored:0
New critical objects:8

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:47 AM

Posted 22 August 2005 - 06:57 PM

Hi Luciddreamer92. There's nothing bad that I can see in the AdAware log. MRU lists are not a threat and if you just visit 1 website there will always be tracking cookies found. That's just the nature of the web. Just have AdAware clean them if you want them gone. There will be some back again as soon as you go on the web again.

Ok, let's finish things up.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.Right-click My Computer and then click Properties.
On the Performance tab, click File System
On the Troubleshooting tab, click to select Disable System Restore
Click OK twice.
2. Restart your computer.

3. Turn on System Restore.Right-click My Computer and again click Properties
On the Performance tab, click File System
Clear the check mark in Disable System Restore check box.
[/list]
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You already have a good anti-virus, and you should also have a good firewall for blocking unwanted access to and from your computer. These also are free for personal use:It is best to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Luciddreamer92

Luciddreamer92
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 August 2005 - 11:09 PM

[FONT=Arial][SIZE=1]

Thanks once again I think all is well now with the viruses etc etc! Many thanks for your continued help :thumbsup:

If I could ask one thing I've noticed it's that Intranet instead of Internet sometimes comes up down the bottom rigth where the online computer icons are?

This is a personal computer only for home use so what do you think has happened? I click tools...internet options.....security and I have an Intranet control yet 'sites' for Internet are greyed out?

As I am not part of any company is this normal or a hijack kinda situation?

Sorry to be a pain,


Regards,

Pete

#10 Luciddreamer92

Luciddreamer92
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 23 August 2005 - 12:30 AM

Hi again,

I'm running spyware guard and this is what it's telling me:
Somebody is scanning your computer.
Your computer's TCP ports:
22, 21, 110, and 8080 have been scanned from 207.33.111.35..

Am I being attacked or spied on or is this normal for this program?

also this one that I suspect is ok:Application Hijacking has been detected
The application: C:\COMPAQ\CPQInet\CPQInet.exe try to launch another application: C:\Program Files\Outlook Express\MSIMN.EXE

Any ideas?

Pete :thumbsup:

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:47 AM

Posted 23 August 2005 - 09:35 AM

Hi Luciddreamer92. I don't know about the intranet item. It might be valid and it might not. It depends on how the machine is set up and how the ISP has it set up for connection. I would suggest posting that question in the Internet forum and see what they have to say. Also, when in the Internet Options>Security dialog, the Sites button is always greyed out for the Internet. Sites cannot be added to that zone since it includes all sites that have not been placed in the allowed or restricted zones.

As far as being scanned, as long as the computer is connected to the internet it will be continually scanned. Some scans might be valid while others are not. That is why it is important to have a firewall.

Now that your malware issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users