Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Plz? Hjt Log


  • This topic is locked This topic is locked
8 replies to this topic

#1 PRoT

PRoT

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 20 October 2005 - 09:26 AM

Hi, im new at this. Can anyone help me get rid of this trojan.vundo :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 10:18:48 AM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enbpnbxzzovridvzlciagk.net/vlY1...H8dzbfo8ZQh.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.kr
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\infoas.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [spynet] C:\Program Files\SpyNet\SpyNet.exe -bg
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [18Wheels_of_Steel.exe] C:\MYDOWN~1\18WHEE~1.EXE /r
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/288e7bb2692775...ip/RdxIE601.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\Links.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: infoas - C:\WINDOWS\Help\infoas.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 21 October 2005 - 04:09 PM

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

#3 PRoT

PRoT
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 22 October 2005 - 08:51 AM

wow thanks so much! it seems like its gone :thumbsup:
well better be safe, here is the spy sweeper log:

********
7:40 PM: | Start of Session, Friday, October 21, 2005 |
7:40 PM: Spy Sweeper started
7:40 PM: Sweep initiated using definitions version 560
7:40 PM: Starting Memory Sweep
7:40 PM: Warning: Failed to load image: C:\WINDOWS\Help\infoas.dll
7:43 PM: Found Adware: virtumonde
7:43 PM: Detected running threat: C:\WINDOWS\Help\infoas.dll (ID = 77)
8:00 PM: Memory Sweep Complete, Elapsed Time: 00:20:08
8:00 PM: Starting Registry Sweep
8:06 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
8:06 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
8:06 PM: HKCR\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (12 subtraces) (ID = 749140)
8:06 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
8:06 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
8:06 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (ID = 749160)
8:06 PM: HKLM\software\classes\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (12 subtraces) (ID = 749166)
8:06 PM: HKLM\software\classes\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\progid\ (1 subtraces) (ID = 749172)
8:11 PM: Registry Sweep Complete, Elapsed Time:00:10:47
8:11 PM: Starting Cookie Sweep
8:11 PM: Found Spy Cookie: 2o7.net cookie
8:11 PM: mom and dad@2o7[1].txt (ID = 1957)
8:11 PM: Found Spy Cookie: hbmediapro cookie
8:11 PM: mom and dad@adopt.hbmediapro[1].txt (ID = 2768)
8:11 PM: Found Spy Cookie: precisead cookie
8:11 PM: mom and dad@adopt.precisead[2].txt (ID = 3182)
8:11 PM: Found Spy Cookie: advertising cookie
8:11 PM: mom and dad@advertising[2].txt (ID = 2175)
8:11 PM: Found Spy Cookie: apmebf cookie
8:11 PM: mom and dad@apmebf[1].txt (ID = 2229)
8:11 PM: Found Spy Cookie: falkag cookie
8:11 PM: mom and dad@as-us.falkag[2].txt (ID = 2650)
8:11 PM: mom and dad@as1.falkag[1].txt (ID = 2650)
8:11 PM: Found Spy Cookie: atlas dmt cookie
8:11 PM: mom and dad@atdmt[2].txt (ID = 2253)
8:11 PM: Found Spy Cookie: belnk cookie
8:11 PM: mom and dad@ath.belnk[2].txt (ID = 2293)
8:11 PM: Found Spy Cookie: atwola cookie
8:11 PM: mom and dad@atwola[1].txt (ID = 2255)
8:11 PM: mom and dad@belnk[1].txt (ID = 2292)
8:11 PM: Found Spy Cookie: bluestreak cookie
8:11 PM: mom and dad@bluestreak[1].txt (ID = 2314)
8:11 PM: Found Spy Cookie: casalemedia cookie
8:11 PM: mom and dad@casalemedia[2].txt (ID = 2354)
8:11 PM: Found Spy Cookie: centrport net cookie
8:11 PM: mom and dad@centrport[2].txt (ID = 2374)
8:11 PM: Found Spy Cookie: commission junction cookie
8:11 PM: mom and dad@cj[2].txt (ID = 2453)
8:11 PM: mom and dad@commission-junction[1].txt (ID = 2455)
8:11 PM: mom and dad@dist.belnk[2].txt (ID = 2293)
8:11 PM: Found Spy Cookie: domainsponsor cookie
8:11 PM: mom and dad@domainsponsor[1].txt (ID = 2533)
8:11 PM: Found Spy Cookie: fastclick cookie
8:11 PM: mom and dad@fastclick[2].txt (ID = 2651)
8:11 PM: Found Spy Cookie: fortunecity cookie
8:11 PM: mom and dad@fortunecity[2].txt (ID = 2686)
8:11 PM: Found Spy Cookie: humanclick cookie
8:11 PM: mom and dad@hc2.humanclick[2].txt (ID = 2810)
8:11 PM: Found Spy Cookie: homestore cookie
8:11 PM: mom and dad@homestore[1].txt (ID = 2793)
8:11 PM: Found Spy Cookie: kount cookie
8:11 PM: mom and dad@kount[1].txt (ID = 2911)
8:11 PM: mom and dad@landing.domainsponsor[1].txt (ID = 2535)
8:11 PM: Found Spy Cookie: okcounter.com cookie
8:11 PM: mom and dad@okcounter[2].txt (ID = 3093)
8:11 PM: Found Spy Cookie: overture cookie
8:11 PM: mom and dad@overture[1].txt (ID = 3105)
8:11 PM: mom and dad@perf.overture[1].txt (ID = 3106)
8:11 PM: Found Spy Cookie: pro-market cookie
8:11 PM: mom and dad@pro-market[2].txt (ID = 3197)
8:11 PM: Found Spy Cookie: questionmarket cookie
8:11 PM: mom and dad@questionmarket[1].txt (ID = 3217)
8:11 PM: Found Spy Cookie: realmedia cookie
8:11 PM: mom and dad@realmedia[1].txt (ID = 3235)
8:11 PM: Found Spy Cookie: revenue.net cookie
8:11 PM: mom and dad@revenue[1].txt (ID = 3257)
8:11 PM: Found Spy Cookie: rightmedia cookie
8:11 PM: mom and dad@rightmedia[1].txt (ID = 3259)
8:11 PM: Found Spy Cookie: domain sponsor cookie
8:11 PM: mom and dad@searchportal.domainsponsor[1].txt (ID = 2534)
8:11 PM: Found Spy Cookie: servedby advertising cookie
8:11 PM: mom and dad@servedby.advertising[2].txt (ID = 3335)
8:11 PM: Found Spy Cookie: serving-sys cookie
8:11 PM: mom and dad@serving-sys[2].txt (ID = 3343)
8:11 PM: Found Spy Cookie: reliablestats cookie
8:11 PM: mom and dad@stats1.reliablestats[1].txt (ID = 3254)
8:12 PM: Found Spy Cookie: targetnet cookie
8:12 PM: mom and dad@targetnet[2].txt (ID = 3489)
8:12 PM: Found Spy Cookie: trafficmp cookie
8:12 PM: mom and dad@trafficmp[2].txt (ID = 3581)
8:12 PM: Found Spy Cookie: adserver cookie
8:12 PM: mom and dad@z1.adserver[1].txt (ID = 2142)
8:12 PM: Found Spy Cookie: yieldmanager cookie
8:12 PM: rich@ad.yieldmanager[1].txt (ID = 3751)
8:12 PM: Found Spy Cookie: adknowledge cookie
8:12 PM: rich@adknowledge[2].txt (ID = 2072)
8:12 PM: Found Spy Cookie: pointroll cookie
8:12 PM: rich@ads.pointroll[2].txt (ID = 3148)
8:12 PM: rich@belnk[1].txt (ID = 2292)
8:12 PM: Found Spy Cookie: burstnet cookie
8:12 PM: rich@burstnet[2].txt (ID = 2336)
8:12 PM: rich@casalemedia[2].txt (ID = 2354)
8:12 PM: Found Spy Cookie: clickbank cookie
8:12 PM: rich@clickbank[2].txt (ID = 2398)
8:12 PM: rich@dist.belnk[2].txt (ID = 2293)
8:12 PM: Found Spy Cookie: maxserving cookie
8:12 PM: rich@maxserving[1].txt (ID = 2966)
8:12 PM: Found Spy Cookie: statcounter cookie
8:12 PM: rich@statcounter[2].txt (ID = 3447)
8:12 PM: rich@stats1.reliablestats[2].txt (ID = 3254)
8:12 PM: Found Spy Cookie: tribalfusion cookie
8:12 PM: rich@tribalfusion[1].txt (ID = 3589)
8:12 PM: Found Spy Cookie: myaffiliateprogram.com cookie
8:12 PM: rich@www.myaffiliateprogram[1].txt (ID = 3032)
8:12 PM: owner@ad.yieldmanager[1].txt (ID = 3751)
8:12 PM: Found Spy Cookie: adrevolver cookie
8:12 PM: owner@adrevolver[1].txt (ID = 2088)
8:12 PM: owner@adrevolver[3].txt (ID = 2088)
8:12 PM: Found Spy Cookie: adreactor cookie
8:12 PM: owner@adserver.adreactor[1].txt (ID = 2087)
8:12 PM: owner@advertising[1].txt (ID = 2175)
8:12 PM: owner@atdmt[2].txt (ID = 2253)
8:12 PM: owner@ath.belnk[1].txt (ID = 2293)
8:12 PM: owner@belnk[2].txt (ID = 2292)
8:12 PM: owner@casalemedia[2].txt (ID = 2354)
8:12 PM: owner@dist.belnk[1].txt (ID = 2293)
8:12 PM: owner@fastclick[1].txt (ID = 2651)
8:12 PM: owner@realmedia[2].txt (ID = 3235)
8:12 PM: owner@revenue[1].txt (ID = 3257)
8:12 PM: owner@servedby.advertising[1].txt (ID = 3335)
8:12 PM: owner@stats1.reliablestats[2].txt (ID = 3254)
8:12 PM: Found Spy Cookie: webtrendslive cookie
8:12 PM: owner@statse.webtrendslive[2].txt (ID = 3667)
8:12 PM: owner@tribalfusion[1].txt (ID = 3589)
8:12 PM: Cookie Sweep Complete, Elapsed Time: 00:00:45
8:12 PM: Starting File Sweep
8:16 PM: Found Adware: gain-supported software
8:16 PM: c:\documents and settings\owner\local settings\temp\fsg_tmp (2 subtraces) (ID = -2147480935)
8:16 PM: Found Adware: altnet
8:16 PM: c:\windows\temp\altnet (10 subtraces) (ID = -2147481435)
8:16 PM: Found Adware: bullguard popup ad
8:16 PM: c:\windows\temp\bullguard (ID = -2147476409)
8:38 PM: setup.exe (ID = 49875)
9:31 PM: asmfiles.cab (ID = 49805)
11:17 PM: Found Adware: comet cursor
11:17 PM: exeinstaller_dm2[1].exe (ID = 53564)
11:44 PM: Found Adware: relatedlinks bho
11:44 PM: lbbho.ini (ID = 73732)
12:09 AM: File Sweep Complete, Elapsed Time: 03:57:04
12:09 AM: Full Sweep has completed. Elapsed time 04:29:20
12:09 AM: Traces Found: 138
9:34 AM: Removal process initiated
9:38 AM: Quarantining All Traces: altnet
9:38 AM: Quarantining All Traces: bullguard popup ad
9:38 AM: Quarantining All Traces: comet cursor
9:38 AM: Quarantining All Traces: gain-supported software
9:38 AM: Quarantining All Traces: relatedlinks bho
9:38 AM: Quarantining All Traces: virtumonde
9:39 AM: virtumonde is in use. It will be removed on reboot.
9:39 AM: C:\WINDOWS\Help\infoas.dll is in use. It will be removed on reboot.
9:39 AM: Quarantining All Traces: 2o7.net cookie
9:39 AM: Quarantining All Traces: adknowledge cookie
9:39 AM: Quarantining All Traces: adreactor cookie
9:39 AM: Quarantining All Traces: adrevolver cookie
9:39 AM: Quarantining All Traces: adserver cookie
9:39 AM: Quarantining All Traces: advertising cookie
9:39 AM: Quarantining All Traces: apmebf cookie
9:39 AM: Quarantining All Traces: atlas dmt cookie
9:39 AM: Quarantining All Traces: atwola cookie
9:39 AM: Quarantining All Traces: belnk cookie
9:39 AM: Quarantining All Traces: bluestreak cookie
9:39 AM: Quarantining All Traces: burstnet cookie
9:39 AM: Quarantining All Traces: casalemedia cookie
9:39 AM: Quarantining All Traces: centrport net cookie
9:39 AM: Quarantining All Traces: clickbank cookie
9:39 AM: Quarantining All Traces: commission junction cookie
9:39 AM: Quarantining All Traces: domain sponsor cookie
9:39 AM: Quarantining All Traces: domainsponsor cookie
9:39 AM: Quarantining All Traces: falkag cookie
9:39 AM: Quarantining All Traces: fastclick cookie
9:39 AM: Quarantining All Traces: fortunecity cookie
9:39 AM: Quarantining All Traces: hbmediapro cookie
9:39 AM: Quarantining All Traces: homestore cookie
9:39 AM: Quarantining All Traces: humanclick cookie
9:39 AM: Quarantining All Traces: kount cookie
9:39 AM: Quarantining All Traces: maxserving cookie
9:39 AM: Quarantining All Traces: myaffiliateprogram.com cookie
9:39 AM: Quarantining All Traces: okcounter.com cookie
9:39 AM: Quarantining All Traces: overture cookie
9:39 AM: Quarantining All Traces: pointroll cookie
9:39 AM: Quarantining All Traces: precisead cookie
9:39 AM: Quarantining All Traces: pro-market cookie
9:39 AM: Quarantining All Traces: questionmarket cookie
9:39 AM: Quarantining All Traces: realmedia cookie
9:39 AM: Quarantining All Traces: reliablestats cookie
9:39 AM: Quarantining All Traces: revenue.net cookie
9:39 AM: Quarantining All Traces: rightmedia cookie
9:39 AM: Quarantining All Traces: servedby advertising cookie
9:39 AM: Quarantining All Traces: serving-sys cookie
9:39 AM: Quarantining All Traces: statcounter cookie
9:39 AM: Quarantining All Traces: targetnet cookie
9:39 AM: Quarantining All Traces: trafficmp cookie
9:39 AM: Quarantining All Traces: tribalfusion cookie
9:39 AM: Quarantining All Traces: webtrendslive cookie
9:39 AM: Quarantining All Traces: yieldmanager cookie
9:39 AM: Warning: Timed out waiting for explorer.exe
9:39 AM: Warning: Timed out waiting for explorer.exe
9:39 AM: Warning: Timed out waiting for explorer.exe
9:39 AM: Warning: Quarantine process could not restart Explorer.
9:40 AM: Preparing to restart your computer. Please wait...
9:40 AM: Removal process completed. Elapsed time 00:06:26
********
7:33 PM: | Start of Session, Friday, October 21, 2005 |
7:33 PM: Spy Sweeper started
7:38 PM: Your spyware definitions have been updated.
7:40 PM: | End of Session, Friday, October 21, 2005 |

and here is the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 9:47:25 AM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enbpnbxzzovridvzlciagk.net/vlY1...H8dzbfo8ZQh.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.kr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?P...ie5update&O1=b1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [spynet] C:\Program Files\SpyNet\SpyNet.exe -bg
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/288e7bb2692775...ip/RdxIE601.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\Links.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by PRoT, 22 October 2005 - 08:52 AM.


#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 22 October 2005 - 12:06 PM

We seem to be missing the top portion of your Hijackthis log. Please ensure that all subsequent HJT logs include that.

Now that we have taken care of the main infection, it's time to weed out the remaining files.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Please check if the Add/Remove Programs have this entry. If so, uninstall it:

SpyNet


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Have HijackThis fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enbpnbxzzovridvzlciagk.net/vlY1...H8dzbfo8ZQh.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
O4 - HKLM\..\Run: [spynet] C:\Program Files\SpyNet\SpyNet.exe -bg
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O20 - AppInit_DLLs: C:\WINDOWS\System32\Links.dll


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Locate & delete this folder - C:\Program Files\SpyNet\

Locate & delete these files - C:\WINDOWS\Help\saofni >> delete all instances of this file

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
  • Select Drive C: & click the 'OK' button
  • Select the following options:
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click the 'OK' button
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
  • In the popup box that appears, type in C:\WINDOWS\System32\Links.dll
  • Click the Open button.
  • Click YES when prompted to restart your computer.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


After you have rebooted, perform an online scan with Internet Explorer with Panda ActiveScan
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply along with a new HJT log
Also let me know if you still have any other issues with your machine

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


#5 PRoT

PRoT
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 22 October 2005 - 07:47 PM

when I went to add/remove programs, I didn't see a "Spynet" program at all.
I ran Hijack This and tried to fixchecked the ones you told me but I see that:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enbpnbxzzovridvzlciagk.net/vlY1...H8dzbfo8ZQh.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/

are still there.

I didn't see a folder in Program files entitled "Spynet" and I didn't see C:\WINDOWS\Help\saofni in the help folder.

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 5:59:35 PM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enbpnbxzzovridvzlciagk.net/vlY1...H8dzbfo8ZQh.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.kr
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/288e7bb2692775...ip/RdxIE601.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Activescan


Incident Status Location

Adware:adware/p2pnetworking Reported C:\Documents and Settings\Rich\Local Settings\Temp\p2psetup.exe
Spyware:spyware/new.net Reported C:\WINDOWS\NDNuninstall4_85.exe
Adware:adware/twain-tech Reported C:\WINDOWS\smdat32m.sys
Spyware:spyware/cydoor Reported C:\WINDOWS\SYSTEM32\AdCache
Adware:adware/savenow Reported Windows Registry
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[2].txt
Spyware:Cookie/Imrworldwide Reported C:\Documents and Settings\Rich\Cookies\rich@cgi-bin[2].txt
Spyware:Cookie/Com.com Reported C:\Documents and Settings\Rich\Cookies\rich@com[2].txt
Spyware:Cookie/Bfast Reported C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@bfast[2].txt
Spyware:Cookie/Com.com Reported C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@com[2].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@doubleclick[1].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@hitbox[1].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@mediaplex[1].txt
Spyware:Cookie/Searchportal Reported C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@searchportal.information[1].txt
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2dca707c-3c888e2a.zip[Dummy.class]
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3513ba03-52a799b9.zip[Dummy.class]
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-485e4880-55cf99bb.zip[Dummy.class]
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-53027f58-47506089.zip[Dummy.class]
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5cdd0bda-51fe2e37.zip[Dummy.class]
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a0b8f67-19e72359.zip[Dummy.class]
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[2].txt
Spyware:Cookie/Imrworldwide Reported C:\Documents and Settings\Rich\Cookies\rich@cgi-bin[2].txt
Spyware:Cookie/Com.com Reported C:\Documents and Settings\Rich\Cookies\rich@com[2].txt
Adware:Adware/P2PNetworking Reported C:\Documents and Settings\Rich\Local Settings\Temp\p2psetup.exe
Adware:Adware/Lop Reported C:\Program Files\Seekjumpinfo\bird anti.dll
Spyware:Spyware/New.net Reported C:\WINDOWS\NDNuninstall4_85.exe
Spyware:Spyware/New.net Reported C:\WINDOWS\NDNuninstall6_22.exe
Spyware:Spyware/New.net Reported C:\WINDOWS\NDNuninstall6_30.exe
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL10.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL11.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL12.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL13.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL14.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL15.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL16.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL17.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL18.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL19.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL2.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL20.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL21.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL22.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL23.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL24.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL25.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL26.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL27.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL28.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL29.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL3.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL30.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL31.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL32.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL33.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL34.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL35.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL36.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL37.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL38.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL39.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL4.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL40.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL41.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL42.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL44.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL45.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL5.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL6.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL7.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL8.DLL
Adware:Adware/P2PNetworking Reported C:\WINDOWS\system32\P2P Networking\MARSHAL9.DLL

#6 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 22 October 2005 - 08:10 PM

Please disable Webroot SpySweeper, as it hinders the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:
  • Go to the Options>Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.
  • Automaticly restore default without notifiction
Have HijackThis fix these entries again:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enbpnbxzzovridvzlciagk.net/vlY1...H8dzbfo8ZQh.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/




Locate & delete these files/folders: (let me know if there's any you fail to delete)

C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM32\AdCache
C:\Program Files\Seekjumpinfo\
C:\WINDOWS\NDNuninstall4_85.exe
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\NDNuninstall6_30.exe
C:\WINDOWS\system32\P2P Networking\
C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2dca707c-3c888e2a.zip
C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3513ba03-52a799b9.zip
C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-485e4880-55cf99bb.zip
C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-53027f58-47506089.zip
C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5cdd0bda-51fe2e37.zip
C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a0b8f67-19e72359.zip




Download & install - CleanUp.exe
Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!



Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.



Download fl.zip.
Extract the contents to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply


In your next post, please include fresh logs from:
  • HiJackThis
  • Findlop.txt
  • TrendMicro Antispyware.log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#7 PRoT

PRoT
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 23 October 2005 - 11:36 AM

Hmm, I can't download that fl.zip one... I don't know why, I click on it but nothing happens.

Antispyware
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning

HJT
Logfile of HijackThis v1.99.1
Scan saved at 12:32:02 PM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.kr
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/288e7bb2692775...ip/RdxIE601.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 23 October 2005 - 11:49 AM

Please try right-clicking the link & choose save as "fl.zip"

#9 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 10 November 2005 - 06:42 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users