Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyaxe Issue, Check My Hijackthis Log


  • This topic is locked This topic is locked
22 replies to this topic

#1 vplehtinen

vplehtinen

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 12 November 2005 - 03:49 AM

Hello. Here's the deal: I got a heavy load of viruses and spyware and trojans etc. some time ago, and most of them I had removed with panda scan, ad-aware, spybot s&d and Norton antivirus.
From the very beginning I was getting (still am) a yellow message box in the lower right corner of the toolbar, saying exactly this:

"Your computer is infected!

Windows has detected spyware infection.

It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for you.

Click here to protect your computer from spyware."


If I click on it, it takes me to SpyAxe homepage. If I restart my computer, it automatically installs SpyAxe, tells me what I'm dealing with and then shows me the payment options.
The original thread I posted my problems in is here:
http://www.bleepingcomputer.com/forums/index.php?showtopic=34819&st=0&gopid=190837&#entry190837
I was told that SpyAxe is a rogue/suspect antispyware product and shouldn't be trusted, apparently.

So I need to know how I can get rid of this SpyAxe issue and any other threats (not sure if how clean I am besides SpyAxe). Thanks.

-----

here's the log, taken in safe-mode (should I have taken it in normal mode?) (I don't use IE btw):

Logfile of HijackThis v1.99.1
Scan saved at 10:30:07, on 12.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleep-portal.com
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\System32\hpF6F2.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Steam] E:\Valve\Steam\\Steam.exe -silent
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm075
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099173209593
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by vplehtinen, 12 November 2005 - 03:50 AM.


BC AdBot (Login to Remove)

 


#2 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 12 November 2005 - 06:43 AM

I got rid of SpyAxe!

I was browsing the net for SpyAxe related info, and found people who had the same problem.

A quote from computing.net security message board:

"In order to clean your PC from infections related to Spyware Axe product, please follow the instructions below:

1) Save Uninstallers.zip from http://www.spyaxe.com/uninstall/uninstallers.zip to your desktop or HDD.

2) Extract 2 files "illegal_adv_uninstall1.exe" and "illegal_adv_uninstall2.exe" to your desktop or your HDD using WinZip.

3) Execute both of them one by one by double-clicking with your mouse.

4) Reboot your PC

5) Your PC is now clean from the infections."

The discussion in it's wholeness is here:
http://www.computing.net/security/wwwboard/forum/16942.html

That was very easy and painful, and no more spyaxe ads in the taskbar.

But I'd still like you to look at the log in the above post, in case there is any malicious stuff left in my system.

#3 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 12 November 2005 - 07:14 AM

I cleaned my registry with Registry Mechanic and cleaned my system of any crap with CCleaner (it found over 1gb worth of cookies, temp files, missing shortcuts, bad fonts etc. etc. etc., damn it was good). I also used Ewido Security Suite to delete all remaining spyware and dialers on my computer.

But. I'll post here a new hijackthis log, and I'd like you to tell me if there's anything not right with it.

Thanks.

#4 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 12 November 2005 - 09:43 AM

Here's the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 16:42:03, on 12.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
E:\Valve\Steam\Steam.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Steam] E:\Valve\Steam\\Steam.exe -silent
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm075
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099173209593
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#5 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:39 AM

Posted 12 November 2005 - 01:11 PM

vplehtinen: We still have a lot of work to do, so lets get started. Please follow each and every step below in order.

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1. Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

NTBOOTMGR (NTBOOT)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Repeat with the following entries:

NTLOAD
NTSVCMGR


2. Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

NTBOOT

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click NO.

Repeat with the following:

NTLOAD
NTSVCMGR

Reboot and let me know if you received any error messages.

3. Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

4. Place a shortcut to Panda ActiveScan on your desktop.

5. You already have Ewido. :thumbsup:
Update the definitions to the newest files. Do NOT run a scan yet.

6. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

7. Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
8. Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:

R3 - Default URLSearchHook is missing

Close HiJackThis.

9. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


10. Open Ad-aware and do a full scan. Remove all it finds.


11. Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

12. Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

13. Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Thanks,
JC

#6 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 12 November 2005 - 02:38 PM

Right now, I'm defragging my harddrives.
A while ago I did a full scan with registry mechanic and it cleaned some stuff. Should I update the above hijackthis log?

Anyway, I tried to start NTLOAD and NTSVCMGR. They both gave this message:

"The NTLOAD/NTSVCMGR service on Local Computer started and then stopped. Some services stop automatically if they have no work to do, for example, the Performance Logs and Alerts service"

Hijackthis couldn't delete NTBOOT and it didn't pull up any information, it just said: "The service 'NTBOOT' is enabled and/or running. Disable it at first, using HiJackThis itself (from the scan results) or the Services.msc windows". And yes, I did stop NTBOOTMGR in services.msc.

EDIT: Oops, I noticed I had had Ad-Aware 6 personal and not Ad-Aware SE 1.06. But now that I have ad-aware se 1.06, should I run a full system scan? Because the above didn't quite work?

Edited by vplehtinen, 12 November 2005 - 02:54 PM.


#7 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:39 AM

Posted 12 November 2005 - 03:15 PM

Okay, you can skip 1 and 2 if you are having problems.
Continue on with step 3 to 13. Make sure you follow them to the letter.
If you don't, you will never get totally clean.

I would stay away from Defrag and registry tools until you are clean.
Registry tools can cause damage when you are infected.

Post back after you have completed ALL of the steps.

Make sure you do not forget to include the logs that I have requested.
JC

#8 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 13 November 2005 - 08:03 AM

Hello again. I finally managed to complete all of the steps, including 1 and 2.

Here are the log files in this order:

1. hijackthis log from step 8
2. smitfiles.txt
3. Ewido Log
4. Panda scan report.
5. hijackthis log after the scans (taken a a couple of minutes ago)

1. hijackthis log from step 8
Logfile of HijackThis v1.99.1
Scan saved at 12:37:26, on 13.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - blank (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Steam] E:\Valve\Steam\\Steam.exe -silent
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm075
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099173209593
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

2. smitfiles.txt
smitRem log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: su 13.11.2005
The current time is: 12:40:22,32

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Center.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

3. Ewido Log
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 13:25:28, 13.11.2005
+ Report-Checksum: F665DEDA

+ Scan result:

:mozilla.20:C:\Documents and Settings\Nisse\Application Data\Mozilla\Firefox\Profiles\pj2xl5sh.ville\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Nisse\Application Data\Mozilla\Firefox\Profiles\pj2xl5sh.ville\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Nisse\Application Data\Mozilla\Firefox\Profiles\pj2xl5sh.ville\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Nisse\Application Data\Mozilla\Firefox\Profiles\pj2xl5sh.ville\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126570.dll -> Spyware.MediaBack : Cleaned with backup
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126606.dll -> TrojanDownloader.Agent.yb : Cleaned with backup
:mozilla.14:C:\RECYCLED\NPROTECT\00207748.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\RECYCLED\NPROTECT\00207748.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\RECYCLED\NPROTECT\00207763.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\RECYCLED\NPROTECT\00207763.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.18:C:\RECYCLED\NPROTECT\00207766.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\RECYCLED\NPROTECT\00207766.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\RECYCLED\NPROTECT\00207822.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\RECYCLED\NPROTECT\00207842.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\RECYCLED\NPROTECT\00207843.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.8:C:\RECYCLED\NPROTECT\00207843.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.22:C:\RECYCLED\NPROTECT\00207843.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\RECYCLED\NPROTECT\00207844.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.8:C:\RECYCLED\NPROTECT\00207844.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.22:C:\RECYCLED\NPROTECT\00207844.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\RECYCLED\NPROTECT\00207845.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.15:C:\RECYCLED\NPROTECT\00207845.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\RECYCLED\NPROTECT\00207845.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.32:C:\RECYCLED\NPROTECT\00207845.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\RECYCLED\NPROTECT\00207847.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.15:C:\RECYCLED\NPROTECT\00207847.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.16:C:\RECYCLED\NPROTECT\00207847.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.32:C:\RECYCLED\NPROTECT\00207847.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:C:\RECYCLED\NPROTECT\00207848.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.17:C:\RECYCLED\NPROTECT\00207848.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.18:C:\RECYCLED\NPROTECT\00207848.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.32:C:\RECYCLED\NPROTECT\00207848.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\RECYCLED\NPROTECT\00207849.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\RECYCLED\NPROTECT\00207849.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.20:C:\RECYCLED\NPROTECT\00207849.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.35:C:\RECYCLED\NPROTECT\00207849.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\RECYCLED\NPROTECT\00207850.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\RECYCLED\NPROTECT\00207850.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.20:C:\RECYCLED\NPROTECT\00207850.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.35:C:\RECYCLED\NPROTECT\00207850.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\RECYCLED\NPROTECT\00207852.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\RECYCLED\NPROTECT\00207852.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.20:C:\RECYCLED\NPROTECT\00207852.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.35:C:\RECYCLED\NPROTECT\00207852.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\RECYCLED\NPROTECT\00207853.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\RECYCLED\NPROTECT\00207853.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.20:C:\RECYCLED\NPROTECT\00207853.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.35:C:\RECYCLED\NPROTECT\00207853.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\RECYCLED\NPROTECT\00207855.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.21:C:\RECYCLED\NPROTECT\00207855.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.22:C:\RECYCLED\NPROTECT\00207855.MOZ -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.38:C:\RECYCLED\NPROTECT\00207855.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
J:\RECYCLER\NPROTECT\00000000.EXE -> Spyware.Trymedia : Cleaned with backup
J:\RECYCLER\NPROTECT\00000001.ZIP/Keygen.exe -> TrojanDropper.Delf.gi : Cleaned with backup


::Report End

4. Panda scan report.
Incident Status Location

Hacktool:HackTool/Disilitra.B No disinfected C:\WINDOWS\system\DRIVER\ntsrv.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Nisse\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-25824f72-686213dd.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Nisse\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-25824f72-686213dd.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Nisse\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-25824f72-686213dd.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Nisse\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-25824f72-686213dd.zip[Parser.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Nisse\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2898a363-141976d7.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Nisse\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2898a363-141976d7.zip[NewURLClassLoader.class]
Adware:Adware/CramToolbar No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP601\A0124988.dll
Dialer:Dialer.YC No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP602\A0126032.inf
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126423.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126424.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126425.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126426.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126427.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126457.exe
Virus:Trj/Zerolin.B Renamed D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir
Virus:Trj/Zerolin.B Renamed D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir[~0001942.~]
Virus:Trj/Zerolin.B Renamed D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir[~0002012.~]
Possible Virus. No disinfected J:\Downloads\holywater_v.16a.zip[holywater.dll]
Possible Virus. No disinfected J:\Downloads\hw_v0.15.zip[holywater.dll]
Possible Virus. No disinfected J:\Downloads\q2advance_0.3.zip[q2advance.dll]

5. hijackthis log after the scans (taken a a couple of minutes ago)
Logfile of HijackThis v1.99.1
Scan saved at 14:40:12, on 13.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\Valve\Steam\Steam.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - blank (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Steam] E:\Valve\Steam\\Steam.exe -silent
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm075
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099173209593
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#9 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:39 AM

Posted 13 November 2005 - 12:32 PM

vplehtinen:
After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1. Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - blank (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.


2. Please enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.
3. Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you are having problems, additional instructions on how to do this can be found here: How to start Windows in Safe mode.


4. Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\system\DRIVER\ntsrv.exe <==file
J:\Downloads\holywater_v.16a.zip <==file
J:\Downloads\hw_v0.15.zip <==file
J:\Downloads\q2advance_0.3.zip <==file


Let me know if you had ANY problems deleting the files above.


5. Run CCleaner click the Windows [tab]
Select the following:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit

Reboot your computer.


6. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please reply to this post with a new HiJackThis log and the scan log from the Kaspersky scan.


Thanks,
JC

#10 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 13 November 2005 - 04:07 PM

I completed all of the steps. Here's the whole kaspersky scan report, and it's a long one. I'm just wondering that how in the world did these get to my computer. I've found like over 200 viruses in my computer in the last 2 days and I hadn't noticed anything before that.

1. Hijackthis Report
2. Kaspersky Report

1. Hijackthis Report
Logfile of HijackThis v1.99.1
Scan saved at 15:25:38, on 14.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
E:\Valve\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Steam] E:\Valve\Steam\\Steam.exe -silent
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm075
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099173209593
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

2. Kaspersky Report
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, November 13, 2005 23:03:30
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 13/11/2005
Kaspersky Anti-Virus database records: 159614
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 114200
Number of viruses found: 43
Number of infected objects: 353
Number of suspicious objects: 0
Duration of the scan process: 5358 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\1024\ld8C56.tmp Infected: Trojan.Win32.StartPage.adh
C:\WINDOWS\system32\1024\ldE76.tmp Infected: Trojan.Win32.StartPage.adh
C:\WINDOWS\system32\1024\ldB34E.tmp Infected: Trojan.Win32.StartPage.adh
C:\WINDOWS\system32\1024\ld4A99.tmp Infected: Trojan.Win32.StartPage.adh
C:\WINDOWS\system32\1024\ldE177.tmp Infected: Trojan.Win32.StartPage.adh
C:\WINDOWS\system32\1024\ld77D8.tmp Infected: Trojan.Win32.StartPage.adh
C:\WINDOWS\system32\1024\ld2094.tmp Infected: Trojan.Win32.StartPage.adh
C:\WINDOWS\system32\1024\ldB58D.tmp Infected: Trojan.Win32.StartPage.adh
C:\WINDOWS\system32\1024\ld71CB.tmp Infected: Trojan.Win32.StartPage.adh
C:\WINDOWS\system32\1024\ldA7D.tmp Infected: Trojan.Win32.StartPage.adh
C:\Program Files\Norton AntiVirus\Quarantine\4FAD18B7.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\4FAD18B7.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\4FAD18B7.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\4FAD18B7.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\0D61230A.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\0D61230A.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\0D61230A.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\0D61230A.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\55085234 Infected: Trojan-Downloader.JS.gen
C:\Program Files\Norton AntiVirus\Quarantine\398B5665 Infected: Email-Worm.Win32.Bagle.bo
C:\Program Files\Norton AntiVirus\Quarantine\55327405 Infected: Trojan-Downloader.JS.gen
C:\Program Files\Norton AntiVirus\Quarantine\125157D5.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\125157D5.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\125157D5.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\125157D5.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\16F86033.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\16F86033.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\16F86033.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\16F86033.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\16F86033.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\13A46660.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\13A46660.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\13A46660.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\13A46660.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\13A46660.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\4959674E.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\4959674E.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\4959674E.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\4959674E.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\4959674E.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\7BB32F36.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\7BB32F36.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\7BB32F36.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\7BB32F36.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\4C182642.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\4C182642.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\4C182642.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\4C182642.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\4C182642.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\38BD1E15.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\38BD1E15.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\38BD1E15.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\38BD1E15.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\38BD1E15.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\4EDA133A.zip/Bubble.class Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton AntiVirus\Quarantine\4EDA133A.zip/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\4EDA133A.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton AntiVirus\Quarantine\4EDA133A.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.h
C:\Program Files\Norton AntiVirus\Quarantine\4EDA133A.zip Infected: Trojan-Downloader.Java.OpenStream.h
C:\Program Files\Norton AntiVirus\Quarantine\5EA11004.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\5EA11004.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\5EA11004.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\5EA11004.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\5EA11004.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1A58518F.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\1A58518F.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1A58518F.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\1A58518F.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1A58518F.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1B1B0C59 Infected: Trojan.Java.ClassLoader.aj
C:\Program Files\Norton AntiVirus\Quarantine\19AC3803.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\19AC3803.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\19AC3803.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\19AC3803.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\19AC3803.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\7E2F0D70 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\453212A9.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\453212A9.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\453212A9.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\453212A9.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\453212A9.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\510F12F9 Infected: Trojan-Dropper.Java.Beyond.d
C:\Program Files\Norton AntiVirus\Quarantine\441A3489 Infected: Trojan-Dropper.Java.Beyond.d
C:\Program Files\Norton AntiVirus\Quarantine\1B1E3655 Infected: Trojan.Java.ClassLoader.v
C:\Program Files\Norton AntiVirus\Quarantine\43F76B70 Infected: Trojan.Java.ClassLoader.v
C:\Program Files\Norton AntiVirus\Quarantine\1B250A4E Infected: Trojan.Java.Femad
C:\Program Files\Norton AntiVirus\Quarantine\00F20282.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\00F20282.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\00F20282.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\00F20282.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\00F20282.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\4F87276E Infected: Trojan.Java.Femad
C:\Program Files\Norton AntiVirus\Quarantine\22190692.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\22190692.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\22190692.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\22190692.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\22190692.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\49EF40FD Infected: Trojan.Java.Femad
C:\Program Files\Norton AntiVirus\Quarantine\6EF37291.zip/Bubble.class Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton AntiVirus\Quarantine\6EF37291.zip/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\6EF37291.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton AntiVirus\Quarantine\6EF37291.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.h
C:\Program Files\Norton AntiVirus\Quarantine\6EF37291.zip Infected: Trojan-Downloader.Java.OpenStream.h
C:\Program Files\Norton AntiVirus\Quarantine\6893123B Infected: Trojan.Java.Femad
C:\Program Files\Norton AntiVirus\Quarantine\7D161CFA.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\7D161CFA.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\7D161CFA.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\7D161CFA.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\7D161CFA.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1B28344A Infected: Trojan.Java.ClassLoader.h
C:\Program Files\Norton AntiVirus\Quarantine\5B2D3B19.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\5B2D3B19.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\5B2D3B19.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\5B2D3B19.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\5B2D3B19.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1550056E Infected: Trojan.Java.ClassLoader.d
C:\Program Files\Norton AntiVirus\Quarantine\63B03ED3.zip/Bubble.class Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton AntiVirus\Quarantine\63B03ED3.zip/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\63B03ED3.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton AntiVirus\Quarantine\63B03ED3.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.h
C:\Program Files\Norton AntiVirus\Quarantine\63B03ED3.zip Infected: Trojan-Downloader.Java.OpenStream.h
C:\Program Files\Norton AntiVirus\Quarantine\72395054 Infected: Trojan.Java.ClassLoader.z
C:\Program Files\Norton AntiVirus\Quarantine\65FF3AD6.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\65FF3AD6.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\65FF3AD6.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\65FF3AD6.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\65FF3AD6.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\74BC06CC Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton AntiVirus\Quarantine\662732AB.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\662732AB.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\662732AB.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\662732AB.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\662732AB.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\60753ADE Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\67BC08ED.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\67BC08ED.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\67BC08ED.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\67BC08ED.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\67BC08ED.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\13AB3A59.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\67BF32EA.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.j
C:\Program Files\Norton AntiVirus\Quarantine\67BF32EA.zip/Beyond.class Infected: Trojan-Dropper.Java.Beyond.c
C:\Program Files\Norton AntiVirus\Quarantine\67BF32EA.zip/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\67BF32EA.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\67BF32EA.zip Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\13AE6455.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\67BF32EA.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\13B5384E.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\67C25CE6.class Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton AntiVirus\Quarantine\38C04812.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\67C506E3.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\38C71C0B.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\67C930DF.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\38CA4607.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\67D22ED4.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\70A64EBA Infected: Trojan.Java.ClassLoader.z
C:\Program Files\Norton AntiVirus\Quarantine\1E7D13C4.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\1E7D13C4.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1E7D13C4.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\1E7D13C4.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1E7D13C4.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\0AE4151F Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton AntiVirus\Quarantine\52BE5F05.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\52BE5F05.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\52BE5F05.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\52BE5F05.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\52BE5F05.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\5EA43A01.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\52BE5F05.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\5EAB0DF9.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\52CB06F7.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\5EAE37F6.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\52CE30F3.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\34746DD6 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\51E73296.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\51E73296.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\51E73296.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\51E73296.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\51E73296.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1B2B5E47 Infected: Trojan.Java.ClassLoader.z
C:\Program Files\Norton AntiVirus\Quarantine\5B18636D Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton AntiVirus\Quarantine\1A845FAB Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\51E73296.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\1B2F0843 Infected: Trojan.Java.ClassLoader.z
C:\Program Files\Norton AntiVirus\Quarantine\20E0416C Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton AntiVirus\Quarantine\42CE6F01 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\51ED068F.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\0D0D6FED Infected: Trojan.Java.ClassLoader.z
C:\Program Files\Norton AntiVirus\Quarantine\61750AD5 Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton AntiVirus\Quarantine\6F7E4F13 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\51F1308B.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\37DA1664 Infected: Trojan.Java.ClassLoader.z
C:\Program Files\Norton AntiVirus\Quarantine\7C0D1545.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\7C0D1545.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\7C0D1545.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\7C0D1545.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\7C0D1545.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\61D4754B Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton AntiVirus\Quarantine\18C4172E Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\4AFB11AA Infected: Trojan-Downloader.Java.OpenConnection.w
C:\Program Files\Norton AntiVirus\Quarantine\7C103F41.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\12F03C7A Infected: Trojan.Win32.Dialer.mi
C:\Program Files\Norton AntiVirus\Quarantine\13213244 Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen
C:\Program Files\Norton AntiVirus\Quarantine\40445237 Infected: Backdoor.Win32.Iroffer.14b2
C:\Program Files\Norton AntiVirus\Quarantine\7C14693D.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\162710F1 Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Norton AntiVirus\Quarantine\163E36D8 Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Norton AntiVirus\Quarantine\430E6990 Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Norton AntiVirus\Quarantine\7C1A3D36.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1E446003 Infected: Trojan-Clicker.Win32.VB.gs
C:\Program Files\Norton AntiVirus\Quarantine\0E975125.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\0E975125.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\0E975125.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\0E975125.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\0E975125.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\3B242DF1 Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen
C:\Program Files\Norton AntiVirus\Quarantine\041634FB.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\041634FB.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\041634FB.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\041634FB.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\041634FB.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\041A5EF7.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\7EEF27E8.class Infected: Trojan.Java.ClassLoader.h
C:\Program Files\Norton AntiVirus\Quarantine\042032F0.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\7E7E1B2C.class Infected: Trojan.Java.ClassLoader.d
C:\Program Files\Norton AntiVirus\Quarantine\04235CEC.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\5CA80EEC.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\5CA80EEC.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\5CA80EEC.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\5CA80EEC.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\5CA80EEC.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\5CAC38E9.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\5CB20CE2.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\5CB536DE.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\5D9033ED.zip/Beyond.class Infected: Trojan.Java.Needy.c
C:\Program Files\Norton AntiVirus\Quarantine\5D9033ED.zip/BlackBox.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\5D9033ED.zip/VerifierBug.class Infected: Trojan.Java.Needy.c
C:\Program Files\Norton AntiVirus\Quarantine\5D9033ED.zip Infected: Trojan.Java.Needy.c
C:\Program Files\Norton AntiVirus\Quarantine\1B0758B8.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\1B0758B8.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1B0758B8.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\1B0758B8.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1B0758B8.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1BAD3600.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\1BAD3600.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1BAD3600.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\1BAD3600.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1BAD3600.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1BB15FFD.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\1BB733F6.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\1BBB5DF2.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1B450426.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\1B450426.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1B450426.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\1B450426.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1B450426.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\22ED6BBA.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\22ED6BBA.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\22ED6BBA.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\22ED6BBA.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\22ED6BBA.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\22F015B7.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\22F33FB3.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\22F769AF.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\27677B92.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\27677B92.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\27677B92.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\27677B92.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\27677B92.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\276A258F.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\27707988.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\27742384.class Infected: Exploit.Java.Bytverify
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614
C:\Program Files\video1\dialers\hot_tarts_fi\hot_tarts_fi.exe Infected: not-a-virus:Dialer.Win32.gen
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP601\A0121952.tlb Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP601\A0122952.tlb Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP601\A0122960.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.e
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP601\A0122960.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.e
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP601\A0122960.exe Infected: not-a-virus:AdWare.Win32.Softomate.e
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP601\A0124960.tlb Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP601\A0124988.dll Infected: not-a-virus:AdWare.Win32.Softomate.e
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP602\A0125973.tlb Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP602\A0125999.exe Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP602\A0126030.exe Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126423.exe Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126424.exe Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126425.exe Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126426.exe Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126427.exe Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126454.tlb Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126455.exe Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126457.exe Infected: Trojan.Win32.StartPage.adh
C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126458.exe Infected: Trojan.Win32.StartPage.adh

Edited by vplehtinen, 14 November 2005 - 08:30 AM.


#11 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:39 AM

Posted 13 November 2005 - 05:24 PM

That log doesn't look complete. Can you please verify. If not, add in whatever is missing as another reply.
I also need another HijackThis log.

Did you have any problems with the file deletions?
JC

#12 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:39 AM

Posted 13 November 2005 - 09:36 PM

With my last post, I thought I would catch you before it was too late -I remembered that you are from Finland. :thumbsup: I had a chance to review your Kaspersky On-line Scanner. Although it does not look complete, it looks like it picked up a lot of remnants from when you infected a few days back, or at another time. If you look at the log, it shows a lot of items in your System points, or in Quarantine in Norton Antivirus. You could probably delete the items from Quarantine later, and I will get you to clear your system restore points after your logs come back clean. An infected restore point is better than no restore point at all. Since I want to move forward with this issue, let's get rid of the items that were uncovered that we need to get rid of. After the items have been deleted, I am going to get you to run an online scan with both Panda and TrendMicro. After you have completed all of the steps, let me know if things are working better now. If not, please describe your remaining symptoms.

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1.) Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you are having problems, additional instructions on how to do this can be found here: How to start Windows in Safe mode.


2.) Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\1024\ld8C56.tmp <==file
C:\WINDOWS\system32\1024\ldE76.tmp <==file
C:\WINDOWS\system32\1024\ldB34E.tmp <==file
C:\WINDOWS\system32\1024\ld4A99.tmp <==file
C:\WINDOWS\system32\1024\ldE177.tmp <==file
C:\WINDOWS\system32\1024\ld77D8.tmp <==file
C:\WINDOWS\system32\1024\ld2094.tmp <==file
C:\WINDOWS\system32\1024\ldB58D.tmp <==file
C:\WINDOWS\system32\1024\ld71CB.tmp <==file
C:\WINDOWS\system32\1024\ldA7D.tmp <==file
C:\Program Files\video1\ <== folder


Let me know if you had ANY problems deleting any of these files/folder.


3.) Run CCleaner click the Windows [tab]
Select the following:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit

Reboot your computer.


4.) Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan <====save the scan log and add it to your reply

Reboot your computer after the scans.

Please reply to this post with a new HiJackThis log and the scan log from the Panda Active Scan.
JC

#13 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 14 November 2005 - 08:21 AM

joshuacat wrote:
"With my last post, I thought I would catch you before it was too late -I remembered that you are from Finland. smile.gif I had a chance to review your Kaspersky On-line Scanner. Although it does not look complete, it looks like it picked up a lot of remnants from when you infected a few days back, or at another time. If you look at the log, it shows a lot of items in your System points, or in Quarantine in Norton Antivirus. You could probably delete the items from Quarantine later, and I will get you to clear your system restore points after your logs come back clean. An infected restore point is better than no restore point at all. Since I want to move forward with this issue, let's get rid of the items that were uncovered that we need to get rid of. After the items have been deleted, I am going to get you to run an online scan with both Panda and TrendMicro. After you have completed all of the steps, let me know if things are working better now. If not, please describe your remaining symptoms."

You're right. I hadn't noticed that I didn't copy all of the Kaspersky scan report. I will now edit my last post so that it has the full kaspersky scan report and a hijackthis report.

Also, I haven't had any kind of symptoms after I managed to remove the SpyAxe issue. But as you can see from the logs, everything's still not right.

PS. I didn't have any problems with the file deletions.

EDIT: OK, it seems like I'm not allowed to post something as long as a full kaspersky scan report. So I'll just post the messy end part here:

Kaspersky Scan (continues)

D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From Younger Skin Now <YoungerSkinNow.10160.306579@chazoola.com>][Date Wed, 6 Oct 2004 23:01:09 -0800]/UNNAMED/[From "Norton Special" <tkg@illusions.net>][Date Mon, 06 Sep 2004 21:32:28 00200]/html/[From "Chadwick Dale" <czllp@milmail.com>][Date Tue, 07 Sep 2004 07:47:22 +0100]/html Infected: Trojan-Downloader.JS.gen
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From Younger Skin Now <YoungerSkinNow.10160.306579@chazoola.com>][Date Wed, 6 Oct 2004 23:01:09 -0800]/UNNAMED/[From "Norton Special" <tkg@illusions.net>][Date Mon, 06 Sep 2004 21:32:28 00200]/html Infected: Trojan-Downloader.JS.gen
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From Younger Skin Now <YoungerSkinNow.10160.306579@chazoola.com>][Date Wed, 6 Oct 2004 23:01:09 -0800]/UNNAMED Infected: Trojan-Downloader.JS.gen
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Matchmaker News" <kirkrushing@revolutionaryinternet.com>][Date Sat, 11 Sep 2004 05:52:59 -0800]/html/[From "Jeanne Mcmillan" <stiymgershluo@krovatka.net>][Date Sat, 11 Sep 2004 12:46:49 -0500]/UNNAMED/[ ... /[From "Ronald Freeman" <ydoltzzmcyu@chinaice.com>][Date Sat, 11 Sep 2004 19:01:01 -060 ... /html Infected: Trojan-Downloader.JS.gen
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Matchmaker News" <kirkrushing@revolutionaryinternet.com>][Date Sat, 11 Sep 2004 05:52:59 -0800]/html/[From "Jeanne Mcmillan" <stiymgershluo@krovatka.net>][Date Sat, 11 Sep 2004 12:46:49 -0500]/UNNAMED/[ ... /[From "Ronald Freeman" <ydoltzzmcyu@chinaice.com>][Date Sat, 11 Sep 2004 19:01:01 -0600]/UNNAMED Infected: Trojan-Downloader.JS.gen
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Matchmaker News" <kirkrushing@revolutionaryinternet.com>][Date Sat, 11 Sep 2004 05:52:59 -0800]/html/[From "Jeanne Mcmillan" <stiymgershluo@krovatka.net>][Date Sat, 11 Sep 2004 12:46:49 -0500]/UNNAMED/[F ... /[From "Sandy Carney" <sandy_carney_aa@sjoki.uta.fi>][Date Sat, 11 Sep 2004 15:18:20 -0400]/text Infected: Trojan-Downloader.JS.gen
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Matchmaker News" <kirkrushing@revolutionaryinternet.com>][Date Sat, 11 Sep 2004 05:52:59 -0800]/html/[From "Jeanne Mcmillan" <stiymgershluo@krovatka.net>][Date Sat, 11 Sep 2004 12:46:49 -0500]/UNNAMED/[From Christian Mortgage USA <9483.3460971@axpit.com>][Date Sat, 11 Sep 2004 11:17:51 -0800]/UNNAMED Infected: Trojan-Downloader.JS.gen
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Matchmaker News" <kirkrushing@revolutionaryinternet.com>][Date Sat, 11 Sep 2004 05:52:59 -0800]/html/[From "Jeanne Mcmillan" <stiymgershluo@krovatka.net>][Date Sat, 11 Sep 2004 12:46:49 -0500]/UNNAMED Infected: Trojan-Downloader.JS.gen
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Matchmaker News" <kirkrushing@revolutionaryinternet.com>][Date Sat, 11 Sep 2004 05:52:59 -0800]/html Infected: Trojan-Downloader.JS.gen
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Lorie Queen" <KQTGDMDYFYTAAG@msn.com>][Date Tue, 14 Sep 2004 16:08:47 -0400]/UNNAMED/[From "Shana Carmichael" <qvtysslgjdg@snail-mail.com>][Date Tue, 14 Sep 2004 18:08:51 -0600]/UNNAMED/[From ... /[Fro ... /[From Harold Healy <Felixopjpo@eudoramail.com>][Date Wed, 15 Sep 2004 18:43:42 +0500 (CST)]/html Infected: Trojan-Dropper.VBS.Zerolin
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Lorie Queen" <KQTGDMDYFYTAAG@msn.com>][Date Tue, 14 Sep 2004 16:08:47 -0400]/UNNAMED/[From "Shana Carmichael" <qvtysslgjdg@snail-mail.com>][Date Tue, 14 Sep 2004 18:08:51 -0600]/UNNAMED/[From ... /[From "Simple Solutions" <demetriusmichel@instructivenews.com>][Date Wed, 15 Sep 2004 05:43:27 -0800]/html Infected: Trojan-Dropper.VBS.Zerolin
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Lorie Queen" <KQTGDMDYFYTAAG@msn.com>][Date Tue, 14 Sep 2004 16:08:47 -0400]/UNNAMED/[From "Shana Carmichael" <qvtysslgjdg@snail-mail.com>][Date Tue, 14 Sep 2004 18:08:51 -0600]/UNNAMED/[From "Dusty Gomes . ... /[From "Alana Kendrick" <yezvajiq@lineone.net>][Date Wed, 15 Sep 2004 14:16:52 +0100]/UNNAMED Infected: Trojan-Dropper.VBS.Zerolin
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Lorie Queen" <KQTGDMDYFYTAAG@msn.com>][Date Tue, 14 Sep 2004 16:08:47 -0400]/UNNAMED/[From "Shana Carmichael" <qvtysslgjdg@snail-mail.com>][Date Tue, 14 Sep 2004 18:08:51 -0600]/UNNAMED/[From "Dusty Gomes ... /[From "Trinidad Platt" <%FROM_USER@c3ntris.com>][Date Wed, 15 Sep 2004 07:49:27 -0100]/UNNAMED Infected: Trojan-Dropper.VBS.Zerolin
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Lorie Queen" <KQTGDMDYFYTAAG@msn.com>][Date Tue, 14 Sep 2004 16:08:47 -0400]/UNNAMED/[From "Shana Carmichael" <qvtysslgjdg@snail-mail.com>][Date Tue, 14 Sep 2004 18:08:51 -0600]/UNNAMED/[From "Dusty Gomes ... /[From "Incentive Program" <fabianshay@vettime.com>][Date Wed, 15 Sep 2004 01:02:31 -0800]/html Infected: Trojan-Dropper.VBS.Zerolin
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Lorie Queen" <KQTGDMDYFYTAAG@msn.com>][Date Tue, 14 Sep 2004 16:08:47 -0400]/UNNAMED/[From "Shana Carmichael" <qvtysslgjdg@snail-mail.com>][Date Tue, 14 Sep 2004 18:08:51 -0600]/UNNAMED/[From "Dusty Gomes" <gxgtnsjtat@bosnianmail.com>][Date Wed, 15 Sep 2004 08:22:07 +0300 (EEST)]/UNNAMED Infected: Trojan-Dropper.VBS.Zerolin
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Lorie Queen" <KQTGDMDYFYTAAG@msn.com>][Date Tue, 14 Sep 2004 16:08:47 -0400]/UNNAMED/[From "Shana Carmichael" <qvtysslgjdg@snail-mail.com>][Date Tue, 14 Sep 2004 18:08:51 -0600]/UNNAMED Infected: Trojan-Dropper.VBS.Zerolin
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Lorie Queen" <KQTGDMDYFYTAAG@msn.com>][Date Tue, 14 Sep 2004 16:08:47 -0400]/UNNAMED Infected: Trojan-Dropper.VBS.Zerolin
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Rami ... /[From "Gifts for you" <teodorostine@confidentialnews.com>][Date Sat, 25 Sep 2004 04:41:14 -0800]/html Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez ... /[From "Marguerite Shaw" <oafndocwxzltuy@online.no>][Date Sat, 25 Sep 2004 05:41:45 -0500]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez . ... /[From "TV Upgrade" <rosspittman@highestinternet.com>][Date Sat, 25 Sep 2004 01:55:47 -0800]/html Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez ... /[Fro ... /[From "Mickey Gallegos" <eolsi@yahoo.com>][Date Sat, 25 Sep 2004 02:11:26 -0700]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez ... /[From Marlon Fitch <uzdfiedpojtwk@cgocable.com>][Date Sat, 25 Sep 2004 12:43:38 +0500 EST]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez" <Linkjx ... /[From Celina Adair <uwbdaa@level3.net>][Date Sat, 25 Sep 2004 05:37:15 +0200 EST]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez" <Linkjx ... /[From "Hot Stuff" <uaommntfhb@huhmail.com>][Date Sat, 25 Sep 2004 06:30:24 +0400]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez" <Linkjxe ... /[From "Lupe Pugh"<ZAnna@wound2snowed.com>][Date Fri, 24 Sep 2004 18:35:45 -0800]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez" < ... ... /[From "Efrain Belll" <Mcknighthxn@csucs.hu>][Date Sun, 26 Sep 2004 08:10:55 +060 ... /html Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez" < ... ... /[From "Efrain Belll" <Mcknighthxn@csucs.hu>][Date Sun, 26 Sep 2004 08:10:55 +0600]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez" < ... /[From rick sarver <rick.sarver@veloxzone.com.br>][Date Sun, 26 Sep 2004 10:22:56 -0500]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez" <Linkjxea .. ... /[From "Rob Reese" <APGSE@hotmail.com>][Date Sun, 26 Sep 2004 01:37:09 +0100]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez" <Linkjxea ... / ... /[From "Kris Moss" <kris_mossrb@ur.se>][Date Thu, 23 Sep 2004 06:34:13 +0200]/text Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez" <Linkjxea ... /[From "Patrick Bell" <bell_fc@siswo.uva.nl>][Date Thu, 23 Sep 2004 03:40:40 +0200]/text Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text/[From "Jean Ramirez" <Linkjxeaqqsk@abbot2927biz.com>][Date Wed, 22 Sep 2004 22:54:01 +0100]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text/[From "Cara Schmitt" <c.schmittes@cardiacarrest.co.uk>][Date Wed, 22 Sep 2004 13:16:19 +0200]/text Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Erma Kennedy" <e_kennedyka@cc.jyu.fi>][Date Wed, 22 Sep 2004 15:24:52 +0200]/text Infected: Exploit.HTML.Iframe.FileDownload
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Your iPod" <patrickcomer@nduph.bettertake.net>][Date Mon, 07 Mar 2005 09:27:37 -0800]/html/[From "OEM4U" <athlai@myfreeshops.com>][Date Tue, 08 Mar 2005 16:27:31 +0300]/UNNAMED/[From "Lacy Ball" <jgevpu@dartmail ... /[From "newby" <stedman@roadtrip.every1.net>][Date Mon, 07 Mar 2005 17:32:47 -0700]/text Infected: Exploit.HTML.ObjData
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Your iPod" <patrickcomer@nduph.bettertake.net>][Date Mon, 07 Mar 2005 09:27:37 -0800]/html/[From "OEM4U" <athlai@myfreeshops.com>][Date Tue, 08 Mar 2005 16:27:31 +0300]/UNNAMED/[From "Lacy Ball" <jgevpu@dartmail ... /[From "newby" <stedman@roadtrip.every1.net>][Date Mon, 07 Mar 2005 17:32:47 -0700]/html Infected: Exploit.HTML.ObjData
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Your iPod" <patrickcomer@nduph.bettertake.net>][Date Mon, 07 Mar 2005 09:27:37 -0800]/html/[From "OEM4U" <athlai@myfreeshops.com>][Date Tue, 08 Mar 2005 16:27:31 +0300]/UNNAMED/[From "Lacy Ball" <jgevpu@dartmail.net>][Date Tue, 08 Mar 2005 02:34:46 +0100]/UNNAMED Infected: Exploit.HTML.ObjData
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Your iPod" <patrickcomer@nduph.bettertake.net>][Date Mon, 07 Mar 2005 09:27:37 -0800]/html/[From "OEM4U" <athlai@myfreeshops.com>][Date Tue, 08 Mar 2005 16:27:31 +0300]/UNNAMED Infected: Exploit.HTML.ObjData
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED/[From "Your iPod" <patrickcomer@nduph.bettertake.net>][Date Mon, 07 Mar 2005 09:27:37 -0800]/html Infected: Exploit.HTML.ObjData
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED/[From "Emmanuel " <hcdqukixszgdz@uni.de>][Date Sun, 05 Sep 2004 06:04:58 +0200]/UNNAMED Infected: Exploit.HTML.ObjData
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir/[From "Richard Sampson" <ctpbmwtm@smartvia.de>][Date Fri, 03 Sep 2004 23:59:05 -0200]/UNNAMED Infected: Exploit.HTML.ObjData
D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir Infected: Exploit.HTML.ObjData
D:\ohjelmat\NotarsIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614
D:\ohjelmat\NotarsIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612
D:\ohjelmat\Test mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
J:\Downloads\ddr-1.1.exe/stream/data0005/data0002 Infected: Trojan-Clicker.Win32.VB.gs
J:\Downloads\ddr-1.1.exe/stream/data0005/data0003 Infected: not-a-virus:AdWare.Win32.MediaBack.a
J:\Downloads\ddr-1.1.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.MediaBack.a
J:\Downloads\ddr-1.1.exe/stream Infected: not-a-virus:AdWare.Win32.MediaBack.a
J:\Downloads\ddr-1.1.exe Infected: not-a-virus:AdWare.Win32.MediaBack.a
J:\Setup Programs\DivXPro511Adware.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202
J:\Setup Programs\DivXPro511Adware.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202
J:\Setup Programs\DivXPro511Adware.exe Infected: not-a-virus:AdWare.Win32.Gator.3202
J:\Setup Programs\mirc614.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.614
J:\Setup Programs\mirc614.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614
J:\Setup Programs\VideoCodec3_05b.exe Infected: Trojan.Win32.StartPage.adh
J:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP602\A0125014.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.61
J:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP602\A0125014.exe/SERVUTRAY.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.5201
J:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP602\A0125014.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.5201
J:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP611\A0127153.EXE Infected: not-a-virus:AdWare.Win32.Trymedia.a

Scan process completed.

Edited by vplehtinen, 14 November 2005 - 08:32 AM.


#14 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:39 AM

Posted 14 November 2005 - 08:42 AM

Okay thanks. Complete the steps that I wrote in my last post, and we will move on after that has been completed.

Thanks.
JC

#15 vplehtinen

vplehtinen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 14 November 2005 - 12:43 PM

Done. No problems with deleting the files.

1. Panda scan report
2. Hijackthis log

1. Panda scan report

Incident Status Location

Adware:adware/spyaxe No disinfected C:\WINDOWS\system32\svchosts.dll
Dialer:Dialer.YC No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP602\A0126032.inf
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126424.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126425.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126426.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126427.exe
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP609\A0126457.exe
Hacktool:HackTool/Disilitra.B No disinfected C:\System Volume Information\_restore{5CB412B0-6DCF-4C7D-AD79-C648C7F6754D}\RP611\A0127210.exe
Virus:Trj/Zerolin.B Renamed D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir
Virus:Trj/Zerolin.B Renamed D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir[~0001942.~]
Virus:Trj/Zerolin.B Renamed D:\DixPoint\Mailit\tapio\4ohsr5hs.slt\tapio\fvm5d4g6.slt\Mail\mail.kolumubus.fi\Inbox.vir[~0002012.~]

2. Hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 19:37:15, on 14.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Valve\Steam\Steam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Steam] E:\Valve\Steam\\Steam.exe -silent
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099173209593
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users