Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

First Use Of Hijack This


  • Please log in to reply
13 replies to this topic

#1 alfr4451

alfr4451

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 11 December 2005 - 08:48 PM

I was infected today. Have run spybot,adaware and microsoft anti-spyware. Can't get rid of it. Keeps changin I.E. start page, pop up with every search and changed desktop(or covered it up with flashing scren). I need help. Here is log file

Logfile of HijackThis v1.99.1
Scan saved at 8:44:40 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\mfcqo32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\SK9910DM.EXE
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winxt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pdiqz.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pdiqz.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pdiqz.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pdiqz.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pdiqz.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pdiqz.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pdiqz.dll/sp.html#77035
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.0 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {152069F2-AB84-3145-8DF8-9EFEAEE8D1AC} - C:\WINDOWS\sysuo.dll
O2 - BHO: Class - {5088C44A-658D-F170-739A-787878D30AA1} - C:\WINDOWS\system32\mfcnl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [mfcqo32.exe] C:\WINDOWS\mfcqo32.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [sysjd.exe] C:\WINDOWS\sysjd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run5.exe dummy
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk.disabled
O4 - Global Startup: Photo Loader supervisory.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.325 - http://69.41.173.118/ChatSpace/Java/cfs40325.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members10.clubphoto.com/_img/upload...tl_uploader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thermatrx.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - https://portal.brch.com/Security/aspencrypt...tranet,CT=java+
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winxt.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Appreciate your help

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 December 2005 - 04:58 PM

Hi alfr4451 and Welcome to the Bleeping Computer!


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.


#3 alfr4451

alfr4451
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 15 December 2005 - 06:35 PM

Ran scan as you said -
Here is the webroot spy sweeper log and a new hijack this log.
compueter is running better.
no particular problems at this point.
Appreciate your response and help.
How do we stand now?

********
5:52 PM: | Start of Session, Thursday, December 15, 2005 |
5:52 PM: Spy Sweeper started
5:52 PM: Sweep initiated using definitions version 584
5:52 PM: Starting Memory Sweep
5:54 PM: Memory Sweep Complete, Elapsed Time: 00:01:48
5:54 PM: Starting Registry Sweep
5:54 PM: Found Adware: cws_ns3
5:54 PM: HKCR\clsid\{bf680029-9efc-9f01-f3c3-ecc0a8df53a1}\ (10 subtraces) (ID = 118928)
5:54 PM: HKLM\software\classes\clsid\{bf680029-9efc-9f01-f3c3-ecc0a8df53a1}\ (10 subtraces) (ID = 120765)
5:54 PM: Found Adware: isearch toolbar
5:54 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/version.txt\ (1 subtraces) (ID = 129037)
5:54 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\version.txt (ID = 129041)
5:54 PM: Registry Sweep Complete, Elapsed Time:00:00:13
5:55 PM: Starting Cookie Sweep
5:55 PM: Found Spy Cookie: 2o7.net cookie
5:55 PM: alan@112.2o7[1].txt (ID = 1958)
5:55 PM: Found Spy Cookie: 5 cookie
5:55 PM: alan@5[1].txt (ID = 1979)
5:55 PM: Found Spy Cookie: 64.62.232 cookie
5:55 PM: alan@64.62.232[1].txt (ID = 1987)
5:55 PM: alan@64.62.232[3].txt (ID = 1987)
5:55 PM: Found Spy Cookie: about cookie
5:55 PM: alan@about[2].txt (ID = 2037)
5:55 PM: Found Spy Cookie: reunion cookie
5:55 PM: alan@ad.reunion[2].txt (ID = 3256)
5:55 PM: Found Spy Cookie: yieldmanager cookie
5:55 PM: alan@ad.yieldmanager[2].txt (ID = 3751)
5:55 PM: Found Spy Cookie: adcycle cookie
5:55 PM: alan@adcycle[2].txt (ID = 4847)
5:55 PM: Found Spy Cookie: adecn cookie
5:55 PM: alan@adecn[1].txt (ID = 2063)
5:55 PM: Found Spy Cookie: adknowledge cookie
5:55 PM: alan@adknowledge[1].txt (ID = 2072)
5:55 PM: Found Spy Cookie: adlegend cookie
5:55 PM: alan@adlegend[1].txt (ID = 2074)
5:55 PM: Found Spy Cookie: specificclick.com cookie
5:55 PM: alan@adopt.specificclick[1].txt (ID = 3400)
5:55 PM: Found Spy Cookie: nextag cookie
5:55 PM: alan@adq.nextag[2].txt (ID = 5015)
5:55 PM: Found Spy Cookie: belointeractive cookie
5:55 PM: alan@ads.belointeractive[2].txt (ID = 2295)
5:55 PM: Found Spy Cookie: ads.businessweek cookie
5:55 PM: alan@ads.businessweek[1].txt (ID = 2113)
5:55 PM: Found Spy Cookie: pointroll cookie
5:55 PM: alan@ads.pointroll[2].txt (ID = 3148)
5:55 PM: Found Spy Cookie: adultrevenueservice cookie
5:55 PM: alan@adultrevenueservice[1].txt (ID = 2167)
5:55 PM: Found Spy Cookie: advertising cookie
5:55 PM: alan@advertising[2].txt (ID = 2175)
5:55 PM: Found Spy Cookie: freestats.net cookie
5:55 PM: alan@akbicycle.freestats[2].txt (ID = 2705)
5:55 PM: Found Spy Cookie: apmebf cookie
5:55 PM: alan@apmebf[2].txt (ID = 2229)
5:55 PM: Found Spy Cookie: aptimus cookie
5:55 PM: alan@aptimus[2].txt (ID = 2233)
5:55 PM: Found Spy Cookie: atlas dmt cookie
5:55 PM: alan@atdmt[1].txt (ID = 2253)
5:55 PM: Found Spy Cookie: atwola cookie
5:55 PM: alan@atwola[1].txt (ID = 2255)
5:55 PM: alan@belointeractive[1].txt (ID = 2294)
5:55 PM: Found Spy Cookie: bizrate cookie
5:55 PM: alan@bizrate[1].txt (ID = 2308)
5:55 PM: Found Spy Cookie: burstnet cookie
5:55 PM: alan@burstnet[2].txt (ID = 2336)
5:55 PM: Found Spy Cookie: enhance cookie
5:55 PM: alan@c.enhance[1].txt (ID = 2614)
5:55 PM: alan@cbs.112.2o7[1].txt (ID = 1958)
5:55 PM: Found Spy Cookie: ccbill cookie
5:55 PM: alan@ccbill[1].txt (ID = 2369)
5:55 PM: Found Spy Cookie: classmates cookie
5:55 PM: alan@classmates[2].txt (ID = 2384)
5:55 PM: alan@cnn.122.2o7[1].txt (ID = 1958)
5:55 PM: Found Spy Cookie: cnt cookie
5:55 PM: alan@cnt[3].txt (ID = 2422)
5:55 PM: Found Spy Cookie: contextuads cookie
5:55 PM: alan@contextuads[1].txt (ID = 2461)
5:55 PM: Found Spy Cookie: sextracker cookie
5:55 PM: alan@counter12.sextracker[1].txt (ID = 3362)
5:55 PM: alan@counter5.sextracker[1].txt (ID = 3362)
5:55 PM: Found Spy Cookie: counter cookie
5:55 PM: alan@counter[4].txt (ID = 2477)
5:55 PM: Found Spy Cookie: 360i cookie
5:55 PM: alan@ct.360i[2].txt (ID = 1962)
5:55 PM: Found Spy Cookie: customer cookie
5:55 PM: alan@customer[1].txt (ID = 2481)
5:55 PM: Found Spy Cookie: clickzs cookie
5:55 PM: alan@cz3.clickzs[1].txt (ID = 2413)
5:55 PM: alan@cz4.clickzs[1].txt (ID = 2413)
5:55 PM: alan@cz5.clickzs[2].txt (ID = 2413)
5:55 PM: alan@cz6.clickzs[2].txt (ID = 2413)
5:55 PM: alan@cz8.clickzs[1].txt (ID = 2413)
5:55 PM: alan@cz9.clickzs[2].txt (ID = 2413)
5:55 PM: Found Spy Cookie: coremetrics cookie
5:55 PM: alan@data.coremetrics[1].txt (ID = 2472)
5:55 PM: Found Spy Cookie: overture cookie
5:55 PM: alan@data3.perf.overture[2].txt (ID = 3106)
5:55 PM: alan@data4.perf.overture[2].txt (ID = 3106)
5:55 PM: Found Spy Cookie: dealtime cookie
5:55 PM: alan@dealtime[2].txt (ID = 2505)
5:55 PM: Found Spy Cookie: did-it cookie
5:55 PM: alan@did-it[1].txt (ID = 2523)
5:55 PM: Found Spy Cookie: go2net.com cookie
5:55 PM: alan@go2net[1].txt (ID = 2730)
5:55 PM: Found Spy Cookie: gostats cookie
5:55 PM: alan@gostats[1].txt (ID = 2747)
5:55 PM: alan@highbeam.122.2o7[1].txt (ID = 1958)
5:55 PM: Found Spy Cookie: howstuffworks cookie
5:55 PM: alan@home.howstuffworks[2].txt (ID = 2806)
5:55 PM: alan@homepage.belointeractive[1].txt (ID = 2295)
5:55 PM: Found Spy Cookie: homestore cookie
5:55 PM: alan@homestore[1].txt (ID = 2793)
5:55 PM: alan@howstuffworks[1].txt (ID = 2805)
5:55 PM: Found Spy Cookie: ic-live cookie
5:55 PM: alan@ic-live[1].txt (ID = 2821)
5:55 PM: Found Spy Cookie: infospace cookie
5:55 PM: alan@infospace[1].txt (ID = 2865)
5:55 PM: alan@iqtv.122.2o7[1].txt (ID = 1958)
5:55 PM: Found Spy Cookie: bns1 cookie
5:55 PM: alan@jcontent.bns1[1].txt (ID = 2319)
5:55 PM: Found Spy Cookie: kount cookie
5:55 PM: alan@kount[2].txt (ID = 2911)
5:55 PM: Found Spy Cookie: l2m.net cookie
5:55 PM: alan@l2m[1].txt (ID = 2913)
5:55 PM: Found Spy Cookie: techtarget cookie
5:55 PM: alan@labmice.techtarget[1].txt (ID = 3500)
5:55 PM: Found Spy Cookie: metareward.com cookie
5:55 PM: alan@metareward[2].txt (ID = 2990)
5:55 PM: alan@microsofteup.112.2o7[2].txt (ID = 1958)
5:55 PM: Found Spy Cookie: moviemonster cookie
5:55 PM: alan@moviemonster[2].txt (ID = 3010)
5:55 PM: Found Spy Cookie: mp3downloading cookie
5:55 PM: alan@mp3downloading[2].txt (ID = 3016)
5:55 PM: alan@network.aptimus[2].txt (ID = 2235)
5:55 PM: Found Spy Cookie: realmedia cookie
5:55 PM: alan@network.realmedia[2].txt (ID = 3236)
5:55 PM: alan@nextag[1].txt (ID = 5014)
5:55 PM: alan@northwestairlines.112.2o7[1].txt (ID = 1958)
5:55 PM: Found Spy Cookie: one-time-offer cookie
5:55 PM: alan@one-time-offer[2].txt (ID = 3095)
5:55 PM: Found Spy Cookie: outster cookie
5:55 PM: alan@outster[2].txt (ID = 3103)
5:55 PM: Found Spy Cookie: pricegrabber cookie
5:55 PM: alan@pcworld.pricegrabber[1].txt (ID = 3186)
5:55 PM: alan@pearlizumi.122.2o7[1].txt (ID = 1958)
5:55 PM: alan@powellsbooks.122.2o7[2].txt (ID = 1958)
5:55 PM: alan@pricegrabber[2].txt (ID = 3185)
5:55 PM: Found Spy Cookie: pub cookie
5:55 PM: alan@pub[2].txt (ID = 3205)
5:55 PM: alan@pub[3].txt (ID = 3205)
5:55 PM: Found Spy Cookie: rc cookie
5:55 PM: alan@rc[1].txt (ID = 3231)
5:55 PM: Found Spy Cookie: rednova cookie
5:55 PM: alan@rednova[2].txt (ID = 3245)
5:55 PM: alan@reunion[2].txt (ID = 3255)
5:55 PM: Found Spy Cookie: tvguide cookie
5:55 PM: alan@rsi.tvguide[1].txt (ID = 3600)
5:55 PM: alan@sdc.tvguide[1].txt (ID = 3600)
5:55 PM: Found Spy Cookie: search123 cookie
5:55 PM: alan@search123[1].txt (ID = 3305)
5:55 PM: alan@searchwindowssecurity.techtarget[2].txt (ID = 3500)
5:55 PM: Found Spy Cookie: server.iad.liveperson cookie
5:55 PM: alan@server.iad.liveperson[1].txt (ID = 3341)
5:55 PM: Found Spy Cookie: web-stat cookie
5:55 PM: alan@server3.web-stat[2].txt (ID = 3649)
5:55 PM: Found Spy Cookie: servlet cookie
5:55 PM: alan@servlet[2].txt (ID = 3345)
5:55 PM: alan@servlet[3].txt (ID = 3345)
5:55 PM: alan@servlet[4].txt (ID = 3345)
5:55 PM: alan@sextracker[2].txt (ID = 3361)
5:55 PM: Found Spy Cookie: stamps.com cookie
5:55 PM: alan@stamps[2].txt (ID = 3437)
5:55 PM: Found Spy Cookie: starware.com cookie
5:55 PM: alan@starware[2].txt (ID = 3441)
5:55 PM: alan@stat.dealtime[2].txt (ID = 2506)
5:55 PM: Found Spy Cookie: clicktracks cookie
5:55 PM: alan@stats.clicktracks[1].txt (ID = 2407)
5:55 PM: Found Spy Cookie: promaxtraffic cookie
5:55 PM: alan@tds.promaxtraffic[1].txt (ID = 3200)
5:55 PM: alan@te.belointeractive[1].txt (ID = 2295)
5:55 PM: alan@techbargains.pricegrabber[1].txt (ID = 3186)
5:55 PM: Found Spy Cookie: toplist cookie
5:55 PM: alan@toplist[1].txt (ID = 3557)
5:55 PM: Found Spy Cookie: cashpartner cookie
5:55 PM: alan@tracking.cashpartner[1].txt (ID = 2357)
5:55 PM: Found Spy Cookie: tracking cookie
5:55 PM: alan@tracking[1].txt (ID = 3571)
5:55 PM: alan@tracking[3].txt (ID = 3571)
5:55 PM: Found Spy Cookie: trb.com cookie
5:55 PM: alan@trb[1].txt (ID = 3587)
5:55 PM: Found Spy Cookie: tribalfusion cookie
5:55 PM: alan@tribalfusion[1].txt (ID = 3589)
5:55 PM: alan@tvguide[2].txt (ID = 3599)
5:55 PM: Found Spy Cookie: upspiral cookie
5:55 PM: alan@upspiral[2].txt (ID = 3614)
5:55 PM: alan@usnews.122.2o7[1].txt (ID = 1958)
5:55 PM: Found Spy Cookie: touchclarity cookie
5:55 PM: alan@webtracking.touchclarity[1].txt (ID = 3566)
5:55 PM: alan@whatis.techtarget[2].txt (ID = 3500)
5:55 PM: Found Spy Cookie: aa cookie
5:55 PM: alan@www.aa[2].txt (ID = 2030)
5:55 PM: Found Spy Cookie: brazilwelcomesyou cookie
5:55 PM: alan@www.brazilwelcomesyou[1].txt (ID = 2325)
5:55 PM: Found Spy Cookie: catlist cookie
5:55 PM: alan@www.catlist[2].txt (ID = 2365)
5:55 PM: Found Spy Cookie: myaffiliateprogram.com cookie
5:55 PM: alan@www.myaffiliateprogram[2].txt (ID = 3032)
5:55 PM: alan@www.rednova[1].txt (ID = 3246)
5:55 PM: alan@www.reunion[1].txt (ID = 3256)
5:55 PM: Found Spy Cookie: screensavers.com cookie
5:55 PM: alan@www.screensavers[1].txt (ID = 3298)
5:55 PM: Found Spy Cookie: spectorsoft cookie
5:55 PM: alan@www.spectorsoft[2].txt (ID = 3404)
5:55 PM: alan@www.stamps[1].txt (ID = 3438)
5:55 PM: Found Spy Cookie: tshirthell cookie
5:55 PM: alan@www.tshirthell[2].txt (ID = 3596)
5:55 PM: alan@www.upspiral[2].txt (ID = 3615)
5:55 PM: Found Spy Cookie: seeq cookie
5:55 PM: alan@www48.seeq[1].txt (ID = 3332)
5:55 PM: Found Spy Cookie: xiti cookie
5:55 PM: alan@xiti[1].txt (ID = 3717)
5:55 PM: Found Spy Cookie: xren_cj cookie
5:55 PM: alan@xren_cj[1].txt (ID = 3723)
5:55 PM: Found Spy Cookie: yadro cookie
5:55 PM: alan@yadro[2].txt (ID = 3743)
5:55 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
5:55 PM: Starting File Sweep
5:55 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars
5:55 PM: btnetw3.exe (ID = 197346)
5:55 PM: Found Adware: cws_tiny0
5:55 PM: soap bubbles.bmp:qldqok (ID = 205)
5:55 PM: kb873376.log:jggrt (ID = 200)
5:55 PM: addpt.exe (ID = 204)
5:55 PM: kb885836.log:zluepr (ID = 200)
5:56 PM: winnt.bmp:uxyid (ID = 200)
5:56 PM: setuperr.log:xewscx (ID = 204)
5:56 PM: cruv.exe (ID = 204)
5:56 PM: Found Adware: safesurf
5:56 PM: a0000053.dll (ID = 187012)
5:56 PM: a0000059.dll (ID = 187012)
5:56 PM: a0000054.exe (ID = 187013)
5:56 PM: a0000056.exe (ID = 187013)
5:56 PM: shortcut to explorer.lnk:sydpyr (ID = 204)
5:57 PM: kb901214.log:teplcy (ID = 205)
5:57 PM: Found Adware: coolwebsearch (cws)
5:57 PM: kb894391.log:yhlael (ID = 190732)
5:58 PM: 00238448.exe (ID = 200)
5:59 PM: a0000052.exe (ID = 187011)
5:59 PM: a0000058.exe (ID = 187011)
5:59 PM: symevent.log:jmvvqv (ID = 204)
5:59 PM: mswy32.exe (ID = 204)
6:01 PM: Found Adware: ezula ilookup
6:01 PM: a0000062.dll (ID = 166574)
6:03 PM: winxt.exe (ID = 204)
6:04 PM: kb883939.log:gkbznp (ID = 204)
6:04 PM: a0000051.exe (ID = 187013)
6:06 PM: ipli32.exe (ID = 204)
6:08 PM: trafficsector_installerv5a[1].exe (ID = 198350)
6:10 PM: kb890047.log:kggtkv (ID = 190732)
6:11 PM: sysuo.exe (ID = 204)
6:11 PM: mfcnl.exe (ID = 204)
6:11 PM: Found Adware: spysheriff
6:11 PM: 00237754.avd (ID = 190097)
6:12 PM: Found System Monitor: beyond keylogger
6:12 PM: tips (ID = 123199)
6:13 PM: setupapi.log:zgsjdo (ID = 205)
6:15 PM: winlf32.exe (ID = 204)
6:15 PM: a0000067.exe (ID = 188569)
6:15 PM: Found Adware: pc adprotector desktop hijacker
6:15 PM: aa1bbfc4-c415-4737-99f3-d8b47e (ID = 162680)
6:15 PM: 00238447.dll (ID = 205)
6:15 PM: 00238449.dll (ID = 205)
6:17 PM: 00238268.dll (ID = 205)
6:17 PM: Found System Monitor: elite keylogger
6:17 PM: ek_setup.exe (ID = 154584)
6:19 PM: schedlgu.txt:oehzh (ID = 205)
6:19 PM: Found System Monitor: xpc spy pro
6:19 PM: xpcspyp.exe (ID = 198322)
6:19 PM: Found System Monitor: stealth keylogger
6:19 PM: stealthkeylogger.exe (ID = 163830)
6:19 PM: Found System Monitor: handy keylogger
6:19 PM: hk_setup.exe (ID = 159644)
6:20 PM: trafficsector_b2search.exe (ID = 198397)
6:20 PM: trafficsector_installerv5a.exe (ID = 198350)
6:20 PM: Found Adware: relytec software
6:20 PM: a0000066.exe (ID = 123202)
6:21 PM: mstrx32.dll (ID = 129737)
6:22 PM: dc937.url (ID = 54454)
6:22 PM: dc936.url (ID = 54373)
6:22 PM: dc938.url (ID = 54472)
6:22 PM: credit counseling.url (ID = 130668)
6:22 PM: insurance home.url (ID = 130676)
6:22 PM: mortgage life insurance.url (ID = 130681)
6:22 PM: help desk software.url (ID = 130675)
6:22 PM: ab scissor.url (ID = 130666)
6:22 PM: videos.url (ID = 130694)
6:22 PM: what is hydrocodone.url (ID = 130695)
6:22 PM: online gambling casino.url (ID = 130684)
6:22 PM: refinancing my mortgage.url (ID = 130691)
6:22 PM: debt credit card.url (ID = 130671)
6:22 PM: fha.url (ID = 130673)
6:22 PM: loan for debt consolidation.url (ID = 130677)
6:22 PM: health insurance.url (ID = 130674)
6:22 PM: personal loans online.url (ID = 130688)
6:22 PM: payroll advance.url (ID = 130687)
6:22 PM: marketing email.url (ID = 130679)
6:22 PM: prescription drugs rx online.url (ID = 130690)
6:22 PM: credit report.url (ID = 130669)
6:22 PM: tahoe vacation rental.url (ID = 130692)
6:22 PM: escorts.url (ID = 130672)
6:22 PM: order phentermine.url (ID = 130686)
6:22 PM: mortgage insurance.url (ID = 130680)
6:22 PM: personal loans with bad credit.url (ID = 130689)
6:22 PM: crm software.url (ID = 130670)
6:22 PM: nevada corporations.url (ID = 130682)
6:22 PM: unsecured bad credit loans.url (ID = 130693)
6:22 PM: loan for people with bad credit.url (ID = 130678)
6:22 PM: broadband comparison.url (ID = 130667)
6:22 PM: online betting site.url (ID = 130683)
6:22 PM: online instant loan.url (ID = 130685)
6:22 PM: 00237544.url (ID = 54454)
6:22 PM: 00237547.url (ID = 54373)
6:22 PM: 00237541.url (ID = 54472)
6:22 PM: 00237633.url (ID = 130668)
6:22 PM: 00237608.url (ID = 130676)
6:22 PM: 00237593.url (ID = 130681)
6:22 PM: 00237611.url (ID = 130675)
6:22 PM: 00237639.url (ID = 130666)
6:22 PM: 00237553.url (ID = 130694)
6:22 PM: 00237550.url (ID = 130695)
6:22 PM: 00237584.url (ID = 130684)
6:22 PM: 00237562.url (ID = 130691)
6:22 PM: 00237623.url (ID = 130671)
6:22 PM: 00237617.url (ID = 130673)
6:22 PM: 00237605.url (ID = 130677)
6:22 PM: 00237614.url (ID = 130674)
6:22 PM: 00237572.url (ID = 130688)
6:22 PM: 00237575.url (ID = 130687)
6:22 PM: 00237599.url (ID = 130679)
6:22 PM: 00237566.url (ID = 130690)
6:22 PM: 00237630.url (ID = 130669)
6:23 PM: 00237559.url (ID = 130692)
6:23 PM: 00237620.url (ID = 130672)
6:23 PM: 00237578.url (ID = 130686)
6:23 PM: 00237596.url (ID = 130680)
6:23 PM: 00237569.url (ID = 130689)
6:23 PM: 00237627.url (ID = 130670)
6:23 PM: 00237590.url (ID = 130682)
6:23 PM: 00237556.url (ID = 130693)
6:23 PM: 00237602.url (ID = 130678)
6:23 PM: 00237636.url (ID = 130667)
6:23 PM: 00237587.url (ID = 130683)
6:23 PM: 00237581.url (ID = 130685)
6:23 PM: home.url (ID = 51143)
6:23 PM: purchase.url (ID = 51146)
6:25 PM: Found System Monitor: home keylogger
6:25 PM: dc583.zip (ID = 62184)
6:25 PM: Warning: Unhandled Archive Type
6:25 PM: Warning: Unhandled Archive Type
6:25 PM: Warning: Unhandled Archive Type
6:25 PM: Warning: Unhandled Archive Type
6:25 PM: Warning: Unhandled Archive Type
6:25 PM: Warning: Unhandled Archive Type
6:25 PM: Warning: Unhandled Archive Type
6:26 PM: Warning: Unhandled Archive Type
6:26 PM: Warning: Unhandled Archive Type
6:26 PM: Warning: Unhandled Archive Type
6:26 PM: Warning: Unhandled Archive Type
6:26 PM: Warning: Unhandled Archive Type
6:26 PM: Warning: Unhandled Archive Type
6:26 PM: Warning: Unhandled Archive Type
6:26 PM: Warning: Invalid Stream
6:26 PM: Warning: Invalid Stream
6:26 PM: 00238317.lnk (ID = 51146)
6:26 PM: 00238319.lnk (ID = 51143)
6:26 PM: File Sweep Complete, Elapsed Time: 00:31:02
6:26 PM: Full Sweep has completed. Elapsed time 00:33:31
6:26 PM: Traces Found: 268
6:27 PM: Removal process initiated
6:27 PM: Quarantining All Traces: cws_ns3
6:27 PM: Quarantining All Traces: spysheriff
6:27 PM: Quarantining All Traces: coolwebsearch (cws)
6:27 PM: Quarantining All Traces: cws_tiny0
6:27 PM: Quarantining All Traces: isearch toolbar
6:27 PM: Quarantining All Traces: trojan-downloader-mainstreamdollars
6:27 PM: Quarantining All Traces: ezula ilookup
6:27 PM: Quarantining All Traces: pc adprotector desktop hijacker
6:27 PM: Quarantining All Traces: relytec software
6:27 PM: Quarantining All Traces: safesurf
6:27 PM: Quarantining All Traces: 2o7.net cookie
6:27 PM: Quarantining All Traces: 360i cookie
6:27 PM: Quarantining All Traces: 5 cookie
6:27 PM: Quarantining All Traces: 64.62.232 cookie
6:27 PM: Quarantining All Traces: aa cookie
6:27 PM: Quarantining All Traces: about cookie
6:27 PM: Quarantining All Traces: adcycle cookie
6:27 PM: Quarantining All Traces: adecn cookie
6:27 PM: Quarantining All Traces: adknowledge cookie
6:27 PM: Quarantining All Traces: adlegend cookie
6:27 PM: Quarantining All Traces: ads.businessweek cookie
6:27 PM: Quarantining All Traces: adultrevenueservice cookie
6:27 PM: Quarantining All Traces: advertising cookie
6:27 PM: Quarantining All Traces: apmebf cookie
6:27 PM: Quarantining All Traces: aptimus cookie
6:27 PM: Quarantining All Traces: atlas dmt cookie
6:27 PM: Quarantining All Traces: atwola cookie
6:27 PM: Quarantining All Traces: belointeractive cookie
6:27 PM: Quarantining All Traces: bizrate cookie
6:27 PM: Quarantining All Traces: bns1 cookie
6:27 PM: Quarantining All Traces: brazilwelcomesyou cookie
6:27 PM: Quarantining All Traces: burstnet cookie
6:27 PM: Quarantining All Traces: cashpartner cookie
6:27 PM: Quarantining All Traces: catlist cookie
6:27 PM: Quarantining All Traces: ccbill cookie
6:27 PM: Quarantining All Traces: classmates cookie
6:27 PM: Quarantining All Traces: clicktracks cookie
6:27 PM: Quarantining All Traces: clickzs cookie
6:27 PM: Quarantining All Traces: cnt cookie
6:27 PM: Quarantining All Traces: contextuads cookie
6:27 PM: Quarantining All Traces: coremetrics cookie
6:27 PM: Quarantining All Traces: counter cookie
6:27 PM: Quarantining All Traces: customer cookie
6:27 PM: Quarantining All Traces: dealtime cookie
6:27 PM: Quarantining All Traces: did-it cookie
6:27 PM: Quarantining All Traces: enhance cookie
6:27 PM: Quarantining All Traces: freestats.net cookie
6:27 PM: Quarantining All Traces: go2net.com cookie
6:27 PM: Quarantining All Traces: gostats cookie
6:27 PM: Quarantining All Traces: homestore cookie
6:27 PM: Quarantining All Traces: howstuffworks cookie
6:27 PM: Quarantining All Traces: ic-live cookie
6:27 PM: Quarantining All Traces: infospace cookie
6:27 PM: Quarantining All Traces: kount cookie
6:27 PM: Quarantining All Traces: l2m.net cookie
6:27 PM: Quarantining All Traces: metareward.com cookie
6:27 PM: Quarantining All Traces: moviemonster cookie
6:27 PM: Quarantining All Traces: mp3downloading cookie
6:27 PM: Quarantining All Traces: myaffiliateprogram.com cookie
6:27 PM: Quarantining All Traces: nextag cookie
6:27 PM: Quarantining All Traces: one-time-offer cookie
6:27 PM: Quarantining All Traces: outster cookie
6:27 PM: Quarantining All Traces: overture cookie
6:27 PM: Quarantining All Traces: pointroll cookie
6:27 PM: Quarantining All Traces: pricegrabber cookie
6:27 PM: Quarantining All Traces: promaxtraffic cookie
6:27 PM: Quarantining All Traces: pub cookie
6:27 PM: Quarantining All Traces: rc cookie
6:27 PM: Quarantining All Traces: realmedia cookie
6:27 PM: Quarantining All Traces: rednova cookie
6:27 PM: Quarantining All Traces: reunion cookie
6:27 PM: Quarantining All Traces: screensavers.com cookie
6:27 PM: Quarantining All Traces: search123 cookie
6:27 PM: Quarantining All Traces: seeq cookie
6:27 PM: Quarantining All Traces: server.iad.liveperson cookie
6:27 PM: Quarantining All Traces: servlet cookie
6:27 PM: Quarantining All Traces: sextracker cookie
6:27 PM: Quarantining All Traces: specificclick.com cookie
6:27 PM: Quarantining All Traces: spectorsoft cookie
6:28 PM: Quarantining All Traces: stamps.com cookie
6:28 PM: Quarantining All Traces: starware.com cookie
6:28 PM: Quarantining All Traces: techtarget cookie
6:28 PM: Quarantining All Traces: toplist cookie
6:28 PM: Quarantining All Traces: touchclarity cookie
6:28 PM: Quarantining All Traces: tracking cookie
6:28 PM: Quarantining All Traces: trb.com cookie
6:28 PM: Quarantining All Traces: tribalfusion cookie
6:28 PM: Quarantining All Traces: tshirthell cookie
6:28 PM: Quarantining All Traces: tvguide cookie
6:28 PM: Quarantining All Traces: upspiral cookie
6:28 PM: Quarantining All Traces: web-stat cookie
6:28 PM: Quarantining All Traces: xiti cookie
6:28 PM: Quarantining All Traces: xren_cj cookie
6:28 PM: Quarantining All Traces: yadro cookie
6:28 PM: Quarantining All Traces: yieldmanager cookie
6:28 PM: Removal process completed. Elapsed time 00:00:52
********
5:50 PM: | Start of Session, Thursday, December 15, 2005 |
5:50 PM: Spy Sweeper started
5:50 PM: Your spyware definitions have been updated.
5:52 PM: | End of Session, Thursday, December 15, 2005 |


Logfile of HijackThis v1.99.1
Scan saved at 6:29:53 PM, on 12/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\SK9910DM.EXE
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.0 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Yahoo! Desktop Search System Tray.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk.disabled
O4 - Global Startup: Photo Loader supervisory.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.325 - http://69.41.173.118/ChatSpace/Java/cfs40325.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members10.clubphoto.com/_img/upload...tl_uploader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thermatrx.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - https://portal.brch.com/Security/aspencrypt...tranet,CT=java+
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 December 2005 - 07:12 PM

Well that looks like it went incredibly well!


Download The Hoster from here:
http://www.funkytoad.com/download/hoster.zip

Right Click the Zip Folder and Select "Extract All"

Open Hoster and Make sure that the "Make Hosts Writable?" button in the upper right corner is Enabled

Click "Back up Host files"

Press "Restore Original Hosts" and press "OK"

Exit the Program.


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/

R3 - Default URLSearchHook is missing

O16 - DPF: ChatSpace Full Java Client 4.0.0.325 - http://69.41.173.118/ChatSpace/Java/cfs40325.cab

O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members10.clubphoto.com/_img/upload...tl_uploader.cab

O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a fresh HijackThis log.

Edited by Cretemonster, 15 December 2005 - 07:13 PM.


#5 alfr4451

alfr4451
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 17 December 2005 - 08:06 AM

Okay!
I ran Hoster, then Hijack this and finally Kaspersky.
Here are the logs:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, December 17, 2005 07:48:26
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/12/2005
Kaspersky Anti-Virus database records: 153772
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 104023
Number of viruses found: 41
Number of infected objects: 169
Number of suspicious objects: 1
Duration of the scan process: 4727 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv422.jar-7450fc95-15e41161.RB0/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv422.jar-7450fc95-15e41161.RB0 Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv422.jar-7450fc95-15e41161.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv422.jar-7450fc95-15e41161.zip Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\Alan\Desktop\hk_setup.exe/data0007 Infected: Trojan-Spy.Win32.AdvancedKeyLogger.a
C:\Documents and Settings\Alan\Desktop\hk_setup.exe Infected: Trojan-Spy.Win32.AdvancedKeyLogger.a
C:\Documents and Settings\Alan\Desktop\xpcspyp.exe/data0003 Infected: Trojan-Spy.Win32.Delf.du
C:\Documents and Settings\Alan\Desktop\xpcspyp.exe/data0006 Infected: Trojan-Spy.Win32.Delf.du
C:\Documents and Settings\Alan\Desktop\xpcspyp.exe/data0007 Infected: Trojan-Spy.Win32.Delf.du
C:\Documents and Settings\Alan\Desktop\xpcspyp.exe Infected: Trojan-Spy.Win32.Delf.du
C:\Documents and Settings\Alan\Local Settings\Temp\nffg.exe Infected: Trojan.Win32.Small.ev
C:\My Shared Folder\software\Norton AntiVirus 2005 Professional FULL.exe/Norton AntiVirus 2003 Professional.exe/mail.exe Infected: Trojan.Win32.VB.sr
C:\My Shared Folder\software\Norton AntiVirus 2005 Professional FULL.exe/Norton AntiVirus 2003 Professional.exe Infected: Trojan.Win32.VB.sr
C:\My Shared Folder\software\Norton AntiVirus 2005 Professional FULL.exe Infected: Trojan.Win32.VB.sr
C:\Program Files\Norton AntiVirus\Quarantine\290577EF.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\Program Files\Norton AntiVirus\Quarantine\3FF3330A.exe Infected: Trojan.Win32.Dialer.ay
C:\Program Files\Norton AntiVirus\Quarantine\49D43C24.EXE Infected: Trojan-Clicker.Win32.Spywad.l
C:\Program Files\Norton AntiVirus\Quarantine\49DB101D.dia Infected: Trojan.Win32.Dialer.ay
C:\Program Files\Norton AntiVirus\Quarantine\49DB101D.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\Program Files\Norton AntiVirus\Quarantine\49DB101D.exe Infected: Trojan.Win32.Dialer.ay
C:\RECYCLER\NPROTECT\00238194 Infected: Trojan-Downloader.Win32.Small.bgv
C:\RECYCLER\NPROTECT\00238769 Infected: Email-Worm.Win32.Sober.p
C:\RECYCLER\NPROTECT\00238770 Infected: Trojan.Java.ClassLoader.ak
C:\RECYCLER\NPROTECT\00238771 Infected: Trojan.Java.ClassLoader.ak
C:\RECYCLER\NPROTECT\00238772 Infected: Trojan.Java.ClassLoader.ak
C:\RECYCLER\NPROTECT\00238773.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238773.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238773.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238773.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238773.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238774.CLA Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238775.CLA Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238776.CLA Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238777.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238777.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238777.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238777.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238777.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238778.CLA Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238779 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238780 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238781.htm Infected: Trojan-Downloader.JS.Small.d
C:\RECYCLER\NPROTECT\00238782 Infected: Trojan.Java.ClassLoader.d
C:\RECYCLER\NPROTECT\00238783.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238783.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238783.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238783.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238783.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238784 Infected: Trojan.Win32.Crypt.e
C:\RECYCLER\NPROTECT\00238785.CLA Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238786.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238786.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238786.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238786.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238786.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238787.CLA Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238788.CLA Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238789 Infected: Trojan.Java.ClassLoader.z
C:\RECYCLER\NPROTECT\00238790 Infected: Trojan.Java.ClassLoader.z
C:\RECYCLER\NPROTECT\00238791 Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238792.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238792.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238792.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238792.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238792.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238793 Infected: Email-Worm.Win32.VB.an
C:\RECYCLER\NPROTECT\00238794 Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238795.htm Infected: Exploit.VBS.Phel.a
C:\RECYCLER\NPROTECT\00238796.htm Infected: Exploit.VBS.Phel.a
C:\RECYCLER\NPROTECT\00238797.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238797.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238797.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238797.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238797.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238798.dll Infected: Trojan.Win32.StartPage.acn
C:\RECYCLER\NPROTECT\00238800.dat Infected: Trojan-Downloader.Win32.Delf.us
C:\RECYCLER\NPROTECT\00238801.exe Infected: Trojan-Downloader.Win32.Delf.us
C:\RECYCLER\NPROTECT\00238802.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238802.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238802.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238802.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238802.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238803.zip/Beyond.class Infected: Trojan.Java.Needy.c
C:\RECYCLER\NPROTECT\00238803.zip/BlackBox.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238803.zip/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238803.zip Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238804 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238805.exe Infected: P2P-Worm.Win32.Niklas.y
C:\RECYCLER\NPROTECT\00238806 Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238807.htm Infected: Exploit.HTML.IframeBof
C:\RECYCLER\NPROTECT\00238808.htm Suspicious: Exploit.HTML.DialogArg
C:\RECYCLER\NPROTECT\00238809.htm Infected: Trojan-Downloader.VBS.Psyme.a
C:\RECYCLER\NPROTECT\00238810.CLA Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238812 Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238813 Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238814 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238815 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238816 Infected: Email-Worm.Win32.VB.an
C:\RECYCLER\NPROTECT\00238817.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238817.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238817.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238817.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238817.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238818 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238819 Infected: Trojan.Java.ClassLoader.b
C:\RECYCLER\NPROTECT\00238820 Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238821 Infected: Trojan.Java.ClassLoader.ak
C:\RECYCLER\NPROTECT\00238822 Infected: Email-Worm.Win32.Sober.p
C:\RECYCLER\NPROTECT\00238823.htm Infected: Exploit.HTML.Mht
C:\RECYCLER\NPROTECT\00238824 Infected: Exploit.HTML.Mht
C:\RECYCLER\NPROTECT\00238825 Infected: Exploit.HTML.Mht
C:\RECYCLER\NPROTECT\00238826 Infected: Trojan.Java.ClassLoader.b
C:\RECYCLER\NPROTECT\00238827 Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238828.htm Infected: Exploit.VBS.Phel.a
C:\RECYCLER\NPROTECT\00238829.htm Infected: Exploit.VBS.Phel.a
C:\RECYCLER\NPROTECT\00238830.htm Infected: Exploit.VBS.Phel.a
C:\RECYCLER\NPROTECT\00238831 Infected: Trojan.Java.ClassLoader.z
C:\RECYCLER\NPROTECT\00238832 Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238833.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238833.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238833.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238833.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238833.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238834.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238834.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238834.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238834.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238834.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238835 Infected: Email-Worm.Win32.VB.an
C:\RECYCLER\NPROTECT\00238836.htm Infected: Exploit.HTML.Mht
C:\RECYCLER\NPROTECT\00238837.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238837.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238837.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238837.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238837.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238838.CLA Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238839.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.j
C:\RECYCLER\NPROTECT\00238839.zip/Beyond.class Infected: Trojan-Dropper.Java.Beyond.c
C:\RECYCLER\NPROTECT\00238839.zip/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238839.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\RECYCLER\NPROTECT\00238839.zip Infected: Trojan.Java.ClassLoader.Dummy.d
C:\RECYCLER\NPROTECT\00238840.CLA Infected: Trojan.Java.ClassLoader.Dummy.e
C:\RECYCLER\NPROTECT\00238841.CLA Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238842 Infected: Trojan.Java.ClassLoader.h
C:\RECYCLER\NPROTECT\00238843 Infected: Exploit.HTML.IframeBof
C:\RECYCLER\NPROTECT\00238844 Infected: Trojan.Java.ClassLoader.z
C:\RECYCLER\NPROTECT\00238845.CLA Infected: Trojan.Java.ClassLoader.ak
C:\RECYCLER\NPROTECT\00238846.dat Infected: P2P-Worm.Win32.SdDrop.c
C:\RECYCLER\NPROTECT\00238847.dat Infected: P2P-Worm.Win32.SdDrop.c
C:\RECYCLER\NPROTECT\00238848.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238848.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238848.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238848.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238848.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238849.dat Infected: P2P-Worm.Win32.Apsiv
C:\RECYCLER\S-1-5-21-1935655697-1645522239-839522115-1003\Dc932.dat Infected: Trojan-Downloader.Win32.Small.awa
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP2\A0000157.dll Infected: Trojan.Win32.StartPage.acn
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP2\A0000158.exe Infected: Trojan-Downloader.Win32.Delf.us
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP2\A0000159.exe Infected: P2P-Worm.Win32.Niklas.y
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000718.EXE Infected: Trojan-Clicker.Win32.Spywad.l
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000721.exe Infected: Trojan.Win32.Dialer.ay
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000722.exe Infected: Trojan.Win32.Dialer.ay
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000723.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000724.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000727.exe/data0007 Infected: Trojan-Spy.Win32.AdvancedKeyLogger.a
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000727.exe Infected: Trojan-Spy.Win32.AdvancedKeyLogger.a
C:\WINDOWS\SchedLgU.Txt:oehzh:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\WINDOWS\system32\upd676.exe Infected: Trojan-Dropper.Win32.Small.zp
C:\WINDOWS\system32\upd996.exe Infected: Trojan-Downloader.Win32.Small.bpz
C:\WINDOWS\system32\winctrl64.exe Infected: Trojan-Downloader.Win32.Small.awa

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 8:01:57 AM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\SK9910DM.EXE
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Yahoo! Desktop Search System Tray.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk.disabled
O4 - Global Startup: Photo Loader supervisory.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thermatrx.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - https://portal.brch.com/Security/aspencrypt...tranet,CT=java+
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

How do I stand now??
Thanks

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 December 2005 - 08:20 AM

It looks like Norton came with a price to pay,somehow?


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet


Download this program:

Submit Files Packer
http://www.safer-networking.org/files/sfp.zip

Highlight the entries listed below in bold and right-click,then select Copy.

C:\Documents and Settings\Alan\Desktop\xpcspyp.exe
C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv422.jar-7450fc95-15e41161.zip
C:\Documents and Settings\Alan\Desktop\hk_setup.exe
C:\Documents and Settings\Alan\Local Settings\Temp\nffg.exe
C:\WINDOWS\SchedLgU.Txt
C:\WINDOWS\system32\upd676.exe
C:\WINDOWS\system32\upd996.exe
C:\WINDOWS\system32\winctrl64.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example Monster.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


After the files have been submitted-> Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Alan\Desktop\xpcspyp.exe
    C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv422.jar-7450fc95-15e41161.zip
    C:\Documents and Settings\Alan\Desktop\hk_setup.exe
    C:\Documents and Settings\Alan\Local Settings\Temp\nffg.exe
    C:\WINDOWS\SchedLgU.Txt
    C:\WINDOWS\system32\upd676.exe
    C:\WINDOWS\system32\upd996.exe
    C:\WINDOWS\system32\winctrl64.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Reboot in Safe Mode again and open Pocket Killbox.

Copy&Paste each entry above into Killbox,one at a time and place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Click the Red Circle with the White X in the Middle to Delete


Still in Safe Mode-> From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from WinPFind and Panda

Edited by Cretemonster, 17 December 2005 - 08:20 AM.


#7 alfr4451

alfr4451
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 17 December 2005 - 12:07 PM

here are the results:


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 3/8/2005 1:17:36 PM 13511971 C:\WINDOWS\lpt$vpn.482
qoologic 3/8/2005 1:17:36 PM 13511971 C:\WINDOWS\lpt$vpn.482
SAHAgent 3/8/2005 1:17:36 PM 13511971 C:\WINDOWS\lpt$vpn.482
UPX! 2/17/2005 3:12:54 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 3/8/2005 1:17:36 PM 13511971 C:\WINDOWS\VPTNFILE.482
qoologic 3/8/2005 1:17:36 PM 13511971 C:\WINDOWS\VPTNFILE.482
SAHAgent 3/8/2005 1:17:36 PM 13511971 C:\WINDOWS\VPTNFILE.482
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/30/2001 5:30:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/30/2001 5:30:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/17/2005 9:41:44 AM S 2048 C:\WINDOWS\bootstat.dat
11/22/2005 10:21:14 PM HS 7168 C:\WINDOWS\Thumbs.db
12/10/2005 2:15:50 AM HS 48680 C:\WINDOWS\winnt.bmp
12/17/2005 9:41:52 AM H 12288 C:\WINDOWS\system32\config\default.LOG
12/17/2005 9:41:56 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/17/2005 9:41:46 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
12/17/2005 9:41:58 AM H 65536 C:\WINDOWS\system32\config\software.LOG
12/17/2005 9:41:52 AM H 1064960 C:\WINDOWS\system32\config\system.LOG
12/7/2005 12:08:24 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
12/9/2005 1:49:02 AM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
12/9/2005 1:49:02 AM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/8/2005 6:31:12 AM S 7652 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
12/9/2005 1:49:02 AM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
12/9/2005 1:49:02 AM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/8/2005 6:31:12 AM S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
11/14/2005 8:11:34 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d8668887-1dcd-4796-8952-e98ea4953e9a
11/14/2005 8:11:34 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
12/17/2005 9:40:40 AM H 6 C:\WINDOWS\Tasks\SA.DAT
12/11/2005 9:15:00 PM HS 65024 C:\WINDOWS\Web\Wallpaper\Thumbs.db

Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/19/2004 3:31:32 PM 49262 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/30/2001 5:30:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/30/2001 5:30:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 10/6/2003 1:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/30/2001 5:30:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 5/2/2004 3:40:02 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Intel Corporation 4/18/2002 5:30:46 PM 770048 C:\WINDOWS\SYSTEM32\PROSetp.cpl
Apple Computer, Inc. 4/8/2004 1:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/30/2001 5:30:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/30/2001 5:30:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/30/2001 5:30:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/30/2001 5:30:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/30/2001 5:30:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
NVIDIA Corporation 6/13/2003 11:31:00 AM 143360 C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\nvtuicpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/3/2004 10:11:44 AM 910 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
1/28/2005 9:29:36 PM 1918 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
5/2/2004 3:40:16 PM 831 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
5/2/2004 3:08:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
5/3/2004 11:03:58 AM 1650 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
5/16/2004 7:25:06 AM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
5/4/2004 6:35:20 PM 1758 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk.disabled
5/2/2004 4:01:00 PM 1567 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk.disabled
4/29/2005 12:24:52 PM 794 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk.disabled

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/2/2004 10:52:12 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
11/9/2005 8:59:40 PM 4 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt

Checking files in %USERPROFILE%\Startup folder...
5/2/2004 3:08:22 PM HS 84 C:\Documents and Settings\Alan\Start Menu\Programs\Startup\desktop.ini
12/14/2005 1:03:24 PM 864 C:\Documents and Settings\Alan\Start Menu\Programs\Startup\Yahoo! Desktop Search System Tray.lnk

Checking files in %USERPROFILE%\Application Data folder...
5/2/2004 10:52:12 AM HS 62 C:\Documents and Settings\Alan\Application Data\desktop.ini
4/27/2005 7:00:58 PM 62992 C:\Documents and Settings\Alan\Application Data\GDIPFONTCACHEV1.DAT
12/11/2005 4:57:04 PM 2235201 C:\Documents and Settings\Alan\Application Data\Install.dat

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{1C78AB3F-A857-482E-80C0-3A1E5238A565} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WINDVDPatch CTHELPER.EXE
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Jet Detection C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
Hot Key Kbd 9910 Daemon SK9910DM.EXE
CreateCD50 C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
AdaptecDirectCD C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallpaper 0
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoHTMLWallPaper 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32
NoBackButton 0
NoFileMru 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
SpecifyDefaultButtons 0
Btn_Search 0
NoActiveDesktop 0
ClassicShell 0
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/17/2005 9:49:48 AM




Incident Status Location

Adware:adware/beginto Not disinfected C:\WINDOWS\SYSTEM32\cache32_rtneg3
Spyware:spyware/iesearchtoolbarNot disinfected Windows Registry
Virus:Exploit/ByteVerify Not disinfected C:\!KillBox\loaderadv422.jar-7450fc95-15e41161.zip[Matrix.class]
Adware:Adware/TopSpyware Not disinfected C:\!KillBox\upd676.exe
Adware:Adware/Adsmart Not disinfected C:\!KillBox\upd996.exe
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1dcb8c83-15089ed5.RB0[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4fe1a786-79c5bb55.RB0[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-569fd8d0-56c2c213.RB0[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv422.jar-7450fc95-15e41161.RB0[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv422.jar-7450fc95-15e41161.RB0[Matrix.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Alan\Desktop\alfr4451.cab.cab[Matrix.class]
Adware:Adware/TopSpyware Not disinfected C:\Documents and Settings\Alan\Desktop\alfr4451.cab.cab[upd676.exe]
Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\Alan\Desktop\alfr4451.cab.cab[upd996.exe]
Virus:Exploit/CodeBase.A Not disinfected C:\install.htm
Adware:Adware/SearchAid Not disinfected C:\RECYCLER\NPROTECT\00237157.exe
Adware:Adware/SearchExe Not disinfected C:\RECYCLER\NPROTECT\00237173.dll
Adware:Adware/Startpage.AEX Not disinfected C:\RECYCLER\NPROTECT\00238194
Virus:Exploit/ByteVerify Not disinfected C:\RECYCLER\S-1-5-21-1935655697-1645522239-839522115-1003\Dc951.cab[Matrix.class]
Adware:Adware/TopSpyware Not disinfected C:\RECYCLER\S-1-5-21-1935655697-1645522239-839522115-1003\Dc951.cab[upd676.exe]
Adware:Adware/Adsmart Not disinfected C:\RECYCLER\S-1-5-21-1935655697-1645522239-839522115-1003\Dc951.cab[upd996.exe]
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr193.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr346.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr361.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\run5.exe


Logfile of HijackThis v1.99.1
Scan saved at 12:05:44 PM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\SK9910DM.EXE
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 7.0\waol.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Yahoo! Desktop Search System Tray.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk.disabled
O4 - Global Startup: Photo Loader supervisory.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thermatrx.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - https://portal.brch.com/Security/aspencrypt...tranet,CT=java+
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


That's it for now. I continue to appreciate your help and quick responses.

alfr4451

#8 alfr4451

alfr4451
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 17 December 2005 - 01:37 PM

I also deleted my keylogger setup programs

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2005 - 05:44 AM

Use Pocket Killbox just as before

Copy&Paste the list below into Killbox

C:\install.htm
C:\WINDOWS\SYSTEM32\cache32_rtneg3
C:\WINDOWS\system32\ldr193.dll
C:\WINDOWS\system32\ldr346.dll
C:\WINDOWS\system32\ldr361.dll
C:\WINDOWS\system32\run5.exe
C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1dcb8c83-15089ed5.RB0
C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4fe1a786-79c5bb55.RB0
C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-569fd8d0-56c2c213.RB0
C:\Documents and Settings\Alan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv422.jar-7450fc95-15e41161.RB0
C:\Documents and Settings\Alan\Desktop\alfr4451.cab.cab



Select Delete on Reboot and Unregister .dll before Deleting

Click the Red Circle with the White X in the Middle to Delete and Follow the prompts.


Restart Normal and Confirm for me that you can change the background on the Desktop.


After that lets do one more Online Scan.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#10 alfr4451

alfr4451
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 18 December 2005 - 09:32 AM

here are the results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, December 18, 2005 09:27:55
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/12/2005
Kaspersky Anti-Virus database records: 155834
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 104769
Number of viruses found: 39
Number of infected objects: 180
Number of suspicious objects: 1
Duration of the scan process: 5120 sec

Infected Object Name - Virus Name
C:\!KillBox\alfr4451.cab/C:/Documents and Settings/Alan/Application Data/Sun/Java/Deployment/cache/javapi/v1.0/jar/loaderadv422.jar-7450fc95-15e41161.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\!KillBox\alfr4451.cab/C:/Documents and Settings/Alan/Application Data/Sun/Java/Deployment/cache/javapi/v1.0/jar/loaderadv422.jar-7450fc95-15e41161.zip Infected: Trojan-Downloader.Java.OpenStream.c
C:\!KillBox\alfr4451.cab/C:/Documents and Settings/Alan/Local Settings/Temp/nffg.exe Infected: Trojan.Win32.Small.ev
C:\!KillBox\alfr4451.cab/C:/WINDOWS/system32/upd676.exe Infected: Trojan-Dropper.Win32.Small.zp
C:\!KillBox\alfr4451.cab/C:/WINDOWS/system32/upd996.exe Infected: Trojan-Downloader.Win32.Small.bpz
C:\!KillBox\alfr4451.cab/C:/WINDOWS/system32/winctrl64.exe Infected: Trojan-Downloader.Win32.Small.awa
C:\!KillBox\alfr4451.cab Infected: Trojan-Downloader.Win32.Small.awa
C:\!KillBox\ldr193.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\!KillBox\ldr346.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\!KillBox\ldr361.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\!KillBox\loaderadv422.jar-7450fc95-15e41161/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\!KillBox\loaderadv422.jar-7450fc95-15e41161 Infected: Trojan-Downloader.Java.OpenStream.c
C:\!KillBox\loaderadv422.jar-7450fc95-15e41161.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\!KillBox\loaderadv422.jar-7450fc95-15e41161.zip Infected: Trojan-Downloader.Java.OpenStream.c
C:\!KillBox\nffg.exe Infected: Trojan.Win32.Small.ev
C:\!KillBox\run5.exe Infected: Trojan-Downloader.Win32.Small.cat
C:\!KillBox\upd676.exe Infected: Trojan-Dropper.Win32.Small.zp
C:\!KillBox\upd996.exe Infected: Trojan-Downloader.Win32.Small.bpz
C:\!KillBox\winctrl64.exe Infected: Trojan-Downloader.Win32.Small.awa
C:\My Shared Folder\software\Norton AntiVirus 2005 Professional FULL.exe/Norton AntiVirus 2003 Professional.exe/mail.exe Infected: Trojan.Win32.VB.sr
C:\My Shared Folder\software\Norton AntiVirus 2005 Professional FULL.exe/Norton AntiVirus 2003 Professional.exe Infected: Trojan.Win32.VB.sr
C:\My Shared Folder\software\Norton AntiVirus 2005 Professional FULL.exe Infected: Trojan.Win32.VB.sr
C:\Program Files\Norton AntiVirus\Quarantine\290577EF.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\Program Files\Norton AntiVirus\Quarantine\3FF3330A.exe Infected: Trojan.Win32.Dialer.ay
C:\Program Files\Norton AntiVirus\Quarantine\49D43C24.EXE Infected: Trojan-Clicker.Win32.Spywad.l
C:\Program Files\Norton AntiVirus\Quarantine\49DB101D.dia Infected: Trojan.Win32.Dialer.ay
C:\Program Files\Norton AntiVirus\Quarantine\49DB101D.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\Program Files\Norton AntiVirus\Quarantine\49DB101D.exe Infected: Trojan.Win32.Dialer.ay
C:\RECYCLER\NPROTECT\00238194 Infected: Trojan-Downloader.Win32.Small.bgv
C:\RECYCLER\NPROTECT\00238769 Infected: Email-Worm.Win32.Sober.p
C:\RECYCLER\NPROTECT\00238770 Infected: Trojan.Java.ClassLoader.ak
C:\RECYCLER\NPROTECT\00238771 Infected: Trojan.Java.ClassLoader.ak
C:\RECYCLER\NPROTECT\00238772 Infected: Trojan.Java.ClassLoader.ak
C:\RECYCLER\NPROTECT\00238773.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238773.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238773.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238773.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238773.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238774.CLA Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238775.CLA Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238776.CLA Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238777.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238777.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238777.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238777.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238777.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238778.CLA Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238779 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238780 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238781.htm Infected: Trojan-Downloader.JS.Small.d
C:\RECYCLER\NPROTECT\00238782 Infected: Trojan.Java.ClassLoader.d
C:\RECYCLER\NPROTECT\00238783.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238783.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238783.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238783.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238783.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238784 Infected: Trojan.Win32.Crypt.e
C:\RECYCLER\NPROTECT\00238785.CLA Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238786.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238786.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238786.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238786.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238786.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238787.CLA Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238788.CLA Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238789 Infected: Trojan.Java.ClassLoader.z
C:\RECYCLER\NPROTECT\00238790 Infected: Trojan.Java.ClassLoader.z
C:\RECYCLER\NPROTECT\00238791 Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238792.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238792.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238792.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238792.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238792.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238793 Infected: Email-Worm.Win32.VB.an
C:\RECYCLER\NPROTECT\00238794 Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238795.htm Infected: Exploit.VBS.Phel.a
C:\RECYCLER\NPROTECT\00238796.htm Infected: Exploit.VBS.Phel.a
C:\RECYCLER\NPROTECT\00238797.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238797.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238797.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238797.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238797.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238798.dll Infected: Trojan.Win32.StartPage.acn
C:\RECYCLER\NPROTECT\00238800.dat Infected: Trojan-Downloader.Win32.Delf.us
C:\RECYCLER\NPROTECT\00238801.exe Infected: Trojan-Downloader.Win32.Delf.us
C:\RECYCLER\NPROTECT\00238802.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238802.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238802.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238802.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238802.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238803.zip/Beyond.class Infected: Trojan.Java.Needy.c
C:\RECYCLER\NPROTECT\00238803.zip/BlackBox.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238803.zip/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238803.zip Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238804 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238805.exe Infected: P2P-Worm.Win32.Niklas.y
C:\RECYCLER\NPROTECT\00238806 Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238807.htm Infected: Exploit.HTML.IframeBof
C:\RECYCLER\NPROTECT\00238808.htm Suspicious: Exploit.HTML.DialogArg
C:\RECYCLER\NPROTECT\00238809.htm Infected: Trojan-Downloader.VBS.Psyme.a
C:\RECYCLER\NPROTECT\00238810.CLA Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238812 Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238813 Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238814 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238815 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238816 Infected: Email-Worm.Win32.VB.an
C:\RECYCLER\NPROTECT\00238817.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238817.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238817.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238817.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238817.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238818 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238819 Infected: Trojan.Java.ClassLoader.b
C:\RECYCLER\NPROTECT\00238820 Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238821 Infected: Trojan.Java.ClassLoader.ak
C:\RECYCLER\NPROTECT\00238822 Infected: Email-Worm.Win32.Sober.p
C:\RECYCLER\NPROTECT\00238823.htm Infected: Exploit.HTML.Mht
C:\RECYCLER\NPROTECT\00238824 Infected: Exploit.HTML.Mht
C:\RECYCLER\NPROTECT\00238825 Infected: Exploit.HTML.Mht
C:\RECYCLER\NPROTECT\00238826 Infected: Trojan.Java.ClassLoader.b
C:\RECYCLER\NPROTECT\00238827 Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238828.htm Infected: Exploit.VBS.Phel.a
C:\RECYCLER\NPROTECT\00238829.htm Infected: Exploit.VBS.Phel.a
C:\RECYCLER\NPROTECT\00238830.htm Infected: Exploit.VBS.Phel.a
C:\RECYCLER\NPROTECT\00238831 Infected: Trojan.Java.ClassLoader.z
C:\RECYCLER\NPROTECT\00238832 Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238833.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238833.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238833.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238833.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238833.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238834.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238834.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238834.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238834.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238834.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238835 Infected: Email-Worm.Win32.VB.an
C:\RECYCLER\NPROTECT\00238836.htm Infected: Exploit.HTML.Mht
C:\RECYCLER\NPROTECT\00238837.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238837.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238837.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238837.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238837.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238838.CLA Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238839.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.j
C:\RECYCLER\NPROTECT\00238839.zip/Beyond.class Infected: Trojan-Dropper.Java.Beyond.c
C:\RECYCLER\NPROTECT\00238839.zip/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238839.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\RECYCLER\NPROTECT\00238839.zip Infected: Trojan.Java.ClassLoader.Dummy.d
C:\RECYCLER\NPROTECT\00238840.CLA Infected: Trojan.Java.ClassLoader.Dummy.e
C:\RECYCLER\NPROTECT\00238841.CLA Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238842 Infected: Trojan.Java.ClassLoader.h
C:\RECYCLER\NPROTECT\00238843 Infected: Exploit.HTML.IframeBof
C:\RECYCLER\NPROTECT\00238844 Infected: Trojan.Java.ClassLoader.z
C:\RECYCLER\NPROTECT\00238845.CLA Infected: Trojan.Java.ClassLoader.ak
C:\RECYCLER\NPROTECT\00238846.dat Infected: P2P-Worm.Win32.SdDrop.c
C:\RECYCLER\NPROTECT\00238847.dat Infected: P2P-Worm.Win32.SdDrop.c
C:\RECYCLER\NPROTECT\00238848.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\RECYCLER\NPROTECT\00238848.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\RECYCLER\NPROTECT\00238848.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\RECYCLER\NPROTECT\00238848.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238848.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\RECYCLER\NPROTECT\00238849.dat Infected: P2P-Worm.Win32.Apsiv
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP2\A0000157.dll Infected: Trojan.Win32.StartPage.acn
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP2\A0000158.exe Infected: Trojan-Downloader.Win32.Delf.us
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP2\A0000159.exe Infected: P2P-Worm.Win32.Niklas.y
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000718.EXE Infected: Trojan-Clicker.Win32.Spywad.l
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000721.exe Infected: Trojan.Win32.Dialer.ay
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000722.exe Infected: Trojan.Win32.Dialer.ay
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000723.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000724.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000738.exe/Norton AntiVirus 2003 Professional.exe/mail.exe Infected: Trojan.Win32.VB.sr
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000738.exe/Norton AntiVirus 2003 Professional.exe Infected: Trojan.Win32.VB.sr
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000738.exe Infected: Trojan.Win32.VB.sr
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000828.exe Infected: Trojan-Dropper.Win32.Small.zp
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000829.exe Infected: Trojan-Downloader.Win32.Small.bpz
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP5\A0000830.exe Infected: Trojan-Downloader.Win32.Small.awa
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP6\A0000902.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP6\A0000903.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP6\A0000904.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\System Volume Information\_restore{3FF0DF86-7C44-45B8-870B-4B94B50FE007}\RP6\A0000905.exe Infected: Trojan-Downloader.Win32.Small.cat

Scan process completed.

I will be away for a week - but I would like to get this mess cleaned up.
Please leave instructions, and I will proceed when I return.
I continue to appreciate your help.
alfr4451

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2005 - 11:37 AM

This is the only entry left that really bothers me

C:\My Shared Folder\software\Norton AntiVirus 2005 Professional FULL.exe Infected: Trojan.Win32.VB.sr

I suggest removing that file manually.

The rest we can take care of pretty easily.

For the Norton Quarantine Folder.

Open Norton Antivirus and click Reports-> Beside Quarantined Items,click View Report-> Click Quaratined Items.

Select all items in the list and click the Delete Items Button

Right-click the Recycle Bin, and then click Properties. The Recycle Bin Properties window opens.

Click the Norton Protection tab, and then click the "Remove Norton Protection" button. The Remove Norton Protection window opens.

Check "Also Empty Protected Files."

Click OK to close the Remove Norton Protection window, click Apply, and then click OK to close the Recycle Bin Properties window.


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are?

#12 alfr4451

alfr4451
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 18 December 2005 - 12:22 PM

I did all you sai-everything seems to be working. As I said, I'm going Out of town and will be back in a week.
If any problems develop, I'll let you know the.
Again, thanks

#13 alfr4451

alfr4451
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 01 January 2006 - 09:01 AM

I'm back from vacation-recent scans(Kaspersky, norton) show no evidence of malicious activity. My only problem that I can see is that when I have IE open and click on the favorites icon, there is quite a delay in opening my list. Seems like a small issue but does bother me- any ideas/suggestions???
Thanks.
Happy New Year
alfr4451

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 02 January 2006 - 08:07 AM

Try this,Open IE and Click Tools-> Internet Options-> Programs and then click "Reset Web Settings"

Now go back and Click the Advanced Tab and then Click "Restore Defaults"


Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users