Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Browser And Pop-ups


  • This topic is locked This topic is locked
13 replies to this topic

#1 Wildebeast

Wildebeast

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 01 January 2006 - 11:13 PM

Hello,
Much of this is new to me and I am learning as I go. As you will be able to see from my log, I've already tried a variety of spyware scanning and removal items, but to no avail. Help

Logfile of HijackThis v1.99.1
Scan saved at 11:00:00 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\appqa.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\apixn32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {3585FF78-2F11-FF4A-2596-1DF8EA166C87} - C:\WINDOWS\system32\javaxz32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {83E737CF-4567-17A1-95AF-D5FC7653A2E0} - C:\WINDOWS\system32\atljz.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [crdk.exe] C:\WINDOWS\crdk.exe
O4 - HKLM\..\Run: [263.tmp] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
O4 - HKLM\..\Run: [264.tmp] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\264.tmp.exe
O4 - HKLM\..\Run: [263.tmp.exe] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
O4 - HKLM\..\Run: [264.tmp.exe] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\264.tmp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winxp.exe] C:\WINDOWS\winxp.exe
O4 - HKLM\..\Run: [iepa.exe] C:\WINDOWS\system32\iepa.exe
O4 - HKLM\..\Run: [atlph.exe] C:\WINDOWS\system32\atlph.exe
O4 - HKLM\..\Run: [apixn32.exe] C:\WINDOWS\system32\apixn32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: DigiChat Applet - http://itdev.gmu.edu/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

:thumbsup:

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 02 January 2006 - 02:29 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install - CleanUp.exe (not recommended for WinXP64)

Download & extract it to it's own folder - About Buster.zip.

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order.


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • ViewPoint
    WeatherBug \AWS
    Spyware Cleaner
Please note any other programs that you dont recognize in that list in your next response


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ewqka.dll/sp.html#88449%resultposition.net

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {3585FF78-2F11-FF4A-2596-1DF8EA166C87} - C:\WINDOWS\system32\javaxz32.dll
O2 - BHO: Class - {83E737CF-4567-17A1-95AF-D5FC7653A2E0} - C:\WINDOWS\system32\atljz.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [crdk.exe] C:\WINDOWS\crdk.exe
O4 - HKLM\..\Run: [263.tmp] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
O4 - HKLM\..\Run: [264.tmp] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\264.tmp.exe
O4 - HKLM\..\Run: [263.tmp.exe] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
O4 - HKLM\..\Run: [264.tmp.exe] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\264.tmp.exe
O4 - HKLM\..\Run: [winxp.exe] C:\WINDOWS\winxp.exe
O4 - HKLM\..\Run: [iepa.exe] C:\WINDOWS\system32\iepa.exe
O4 - HKLM\..\Run: [atlph.exe] C:\WINDOWS\system32\atlph.exe
O4 - HKLM\..\Run: [apixn32.exe] C:\WINDOWS\system32\apixn32.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)



* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Program Files\Viewpoint\
    C:\WINDOWS\winxp.exe
    C:\Program Files\Spyware Cleaner\
    C:\Program Files\AWS\
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis
  • Online scan
  • About Buster
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#3 Wildebeast

Wildebeast
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 02 January 2006 - 07:23 PM

Thanks! I'll give it a go. :thumbsup:

#4 Wildebeast

Wildebeast
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 02 January 2006 - 11:39 PM

Whew! Well, I ran the suggested fixes and right now it appears to have worked. Being a novice at this, I realized that my initial hijackthis log may have been before I did some extra scans, but I am not certain. Anyway, when uninstalling programs I did not see WeatherBug nor Spyware Cleaner listed.

Below I've included a hijack this log from the begining of the process followed by a hjackthis log after completing all of the procedures. I also include reports from the Online scan, About Buster, and Ewido. I did notice after performing the online scan that it said I was infected with a trojan virus. So I assume there is still something there? I will keep you posted on my computer's performance. Thanks a ton for all of your help! :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 8:22:05 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\htbyb.dll/sp.html#88449%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\htbyb.dll/sp.html#88449%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\htbyb.dll/sp.html#88449%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\htbyb.dll/sp.html#88449%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\htbyb.dll/sp.html#88449%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\htbyb.dll/sp.html#88449%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\htbyb.dll/sp.html#88449%
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {11C69DE3-708A-E113-91B6-1794F43DD7B7} - C:\WINDOWS\system32\ipkc.dll (file missing)
O2 - BHO: Class - {3585FF78-2F11-FF4A-2596-1DF8EA166C87} - C:\WINDOWS\system32\javaxz32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {83E737CF-4567-17A1-95AF-D5FC7653A2E0} - C:\WINDOWS\system32\atljz.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D1CD1D3E-77D8-5E66-C7CC-DEDD603B06F6} - C:\WINDOWS\system32\crmx.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [crdk.exe] C:\WINDOWS\crdk.exe
O4 - HKLM\..\Run: [263.tmp] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
O4 - HKLM\..\Run: [264.tmp] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\264.tmp.exe
O4 - HKLM\..\Run: [263.tmp.exe] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
O4 - HKLM\..\Run: [264.tmp.exe] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\264.tmp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winxp.exe] C:\WINDOWS\winxp.exe
O4 - HKLM\..\Run: [iepa.exe] C:\WINDOWS\system32\iepa.exe
O4 - HKLM\..\Run: [atlph.exe] C:\WINDOWS\system32\atlph.exe
O4 - HKLM\..\Run: [apixn32.exe] C:\WINDOWS\system32\apixn32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [atlkr.exe] C:\WINDOWS\system32\atlkr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: DigiChat Applet - http://itdev.gmu.edu/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\d3ka32.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
*******************************
Logfile of HijackThis v1.99.1
Scan saved at 11:21:27 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {11C69DE3-708A-E113-91B6-1794F43DD7B7} - C:\WINDOWS\system32\ipkc.dll (file missing)
O2 - BHO: Class - {3585FF78-2F11-FF4A-2596-1DF8EA166C87} - C:\WINDOWS\system32\javaxz32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {83E737CF-4567-17A1-95AF-D5FC7653A2E0} - C:\WINDOWS\system32\atljz.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D1CD1D3E-77D8-5E66-C7CC-DEDD603B06F6} - C:\WINDOWS\system32\crmx.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [crdk.exe] C:\WINDOWS\crdk.exe
O4 - HKLM\..\Run: [263.tmp] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
O4 - HKLM\..\Run: [264.tmp] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\264.tmp.exe
O4 - HKLM\..\Run: [263.tmp.exe] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
O4 - HKLM\..\Run: [264.tmp.exe] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\264.tmp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winxp.exe] C:\WINDOWS\winxp.exe
O4 - HKLM\..\Run: [iepa.exe] C:\WINDOWS\system32\iepa.exe
O4 - HKLM\..\Run: [atlph.exe] C:\WINDOWS\system32\atlph.exe
O4 - HKLM\..\Run: [apixn32.exe] C:\WINDOWS\system32\apixn32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: DigiChat Applet - http://itdev.gmu.edu/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

*********************************************

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 02, 2006 23:08:22
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/01/2006
Kaspersky Anti-Virus database records: 168741
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 32728
Number of viruses found: 5
Number of infected objects: 149
Number of suspicious objects: 0
Duration of the scan process: 2172 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\0138768D Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\02442B75 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\05411414.tmp Infected: Trojan.Win32.Small.ga
C:\Program Files\Norton AntiVirus\Quarantine\05443E11.tmp Infected: Trojan.Win32.Small.ga
C:\Program Files\Norton AntiVirus\Quarantine\066B3233 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\07A368E5 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\0D606B1D Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\0DD46773 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\13CC5D76 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\19544B97 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\19652372 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\1B731315.tmp Infected: Trojan.Win32.Small.ga
C:\Program Files\Norton AntiVirus\Quarantine\1B79670E.tmp Infected: Trojan.Win32.Small.ga
C:\Program Files\Norton AntiVirus\Quarantine\1F5D0272.tmp Infected: Trojan.Win32.Small.ga
C:\Program Files\Norton AntiVirus\Quarantine\1F99365D Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\1FF45207 Infected: Trojan-Downloader.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\20751D93 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\20980655 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\2197564D Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\24F55F71 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\27956F8E Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\2C1D4697 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\2EB5418A Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\30EC1177 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\38196F8E Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\381C198A Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\38204386 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\38236D83 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\3826177F Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\3829417C Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\382D6B78 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\38301574 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\38333F71 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\3836696D Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\383A136A Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\383D3D66 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\38406763 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\38453B28 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\3C7C4D76 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\419F5AED Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\467945BC.tmp Infected: Trojan.Win32.Small.ga
C:\Program Files\Norton AntiVirus\Quarantine\480C0974 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\48BF2CE9 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\4FDF7EE5 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\5096244A Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\51DD208A Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\539D4573 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\542C1FDA Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\570050E1 Infected: Trojan-Downloader.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\5CBE18DA Infected: Trojan-Downloader.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\5F2D0171 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\61176E51 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\62173E49 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\68E70D6B Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\6ABD3D70 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\6B233378 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\710A3C40 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\750F01FC Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\76B46F76 Infected: Trojan.Win32.Agent.bi
C:\Program Files\Norton AntiVirus\Quarantine\782A0E3C Infected: Trojan-Downloader.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\7F4A6038 Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046262.exe Infected: not-virus:Hoax.Win32.Renos.al
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046305.ini:cmmgxf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046305.ini:nopyts:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046320.ini:cmmgxf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046320.ini:nopyts:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046511.ini:cmmgxf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046511.ini:nopyts:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046524.ini:cmmgxf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046524.ini:nopyts:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046555.ini:cmmgxf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046555.ini:mmfla:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046555.ini:nopyts:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046754.ini:cmmgxf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046754.ini:mmfla:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP464\A0046754.ini:nopyts:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046768.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046769.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046770.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046771.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046772.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046773.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046774.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046775.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046776.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046777.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046778.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046779.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046780.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046781.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046782.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046783.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046784.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046785.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046786.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046787.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046788.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046789.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046790.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046791.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046792.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046793.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046794.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046795.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046796.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046797.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046798.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046799.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046800.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046801.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046802.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046803.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046804.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046805.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046806.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046807.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046808.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046809.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046810.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046811.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046812.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046813.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046814.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046815.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046816.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046817.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046818.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046819.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046820.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046821.ini:cmmgxf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046821.ini:mmfla:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP465\A0046821.ini:nopyts:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046897.ini:cmmgxf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046897.ini:mmfla:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046897.ini:nopyts:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046960.ini:cmmgxf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046960.ini:mmfla:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046960.ini:nopyts:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046961.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046962.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046963.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046964.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046966.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046967.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046968.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046969.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046970.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046971.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{FF41E3E9-20C5-48D3-82AF-6E57FB963F51}\RP466\A0046972.exe Infected: Trojan-Downloader.Win32.Agent.td

Scan process completed.

*************************************

AboutBuster 6.0
Scan started on [1/2/2006] at [9:06:50 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:onydhe
Removed Stream! C:\WINDOWS\dasetup.log:gnqqbo
Removed Stream! C:\WINDOWS\hds32.ini:beuerf
Removed Stream! C:\WINDOWS\KB828028.log:ljahxk
Removed Stream! C:\WINDOWS\KB835732.log:djtnru
Removed Stream! C:\WINDOWS\KB837001.log:nicyx
Removed Stream! C:\WINDOWS\KB839643.log:uukgki
Removed Stream! C:\WINDOWS\KB867282.log:fvvygd
Removed Stream! C:\WINDOWS\KB887472.log:ecdbqp
Removed Stream! C:\WINDOWS\KB887742.log:qzaxg
Removed Stream! C:\WINDOWS\KB890859.log:ytwtac
Removed Stream! C:\WINDOWS\KB893803.log:jmzlwx
Removed Stream! C:\WINDOWS\KB896422.log:edhot
Removed Stream! C:\WINDOWS\KB896688.log:ipxvnt
Removed Stream! C:\WINDOWS\KB898461.log:zffniv
Removed Stream! C:\WINDOWS\KB900725.log:rnmdk
Removed Stream! C:\WINDOWS\KB900725.log:tqancg
Removed Stream! C:\WINDOWS\ModemLog_Communications cable between two computers.txt:drlykq
Removed Stream! C:\WINDOWS\ModemLog_Communications cable between two computers.txt:fibgcc
Removed Stream! C:\WINDOWS\msgsocm.log:vkelna
Removed Stream! C:\WINDOWS\msgsocm.log:xittwm
Removed Stream! C:\WINDOWS\WindowsUpdate.log:mhxkei
Removed Stream! C:\WINDOWS\wmsetup.log:fippgt
Removed Stream! C:\WINDOWS\_delis32.ini:bcesrb
Removed Stream! C:\WINDOWS\_delis32.ini:cmmgxf
Removed Stream! C:\WINDOWS\_delis32.ini:hivywa
Removed Stream! C:\WINDOWS\_delis32.ini:iclnxq
Removed Stream! C:\WINDOWS\_delis32.ini:kcrwmx
Removed Stream! C:\WINDOWS\_delis32.ini:mmfla
Removed Stream! C:\WINDOWS\_delis32.ini:nopyts
Removed Stream! C:\WINDOWS\_delis32.ini:qbaicg
Removed Stream! C:\WINDOWS\_delis32.ini:skyjsn
Removed Stream! C:\WINDOWS\_delis32.ini:tdwftd
-------------------------------------------------------------
Removed File! : C:\WINDOWS\d3ka32.exe
Removed File! : C:\WINDOWS\jqkos.dat
Removed File! : C:\WINDOWS\pozre.dat
Removed File! : C:\WINDOWS\robwv.dat
Removed File! : C:\WINDOWS\system32\addny32.dll
Removed File! : C:\WINDOWS\system32\atlkr.exe
Removed File! : C:\WINDOWS\system32\crmx.dll
Removed File! : C:\WINDOWS\system32\gnqqb.dat
Removed File! : C:\WINDOWS\system32\gohdv.txt
Removed File! : C:\WINDOWS\system32\htbyb.dll
Removed File! : C:\WINDOWS\system32\onydh.txt
Removed File! : C:\WINDOWS\system32\spkca.txt
Removed File! : C:\WINDOWS\system32\tllol.dat
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:10:09 PM


***************************************

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:57:00 PM, 1/2/2006
+ Report-Checksum: FD980676

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{76518006-D7C5-4C71-68F4-DA79559FA482} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8E883EC3-ABB5-0CD9-EC0A-78CB81A818D1} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A711817-CADB-FD03-EBB1-4E2FC70601C2} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2000478354-1563985344-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
C:\RECYCLER\NPROTECT\00043690.exe -> Downloader.Agent.td : Cleaned with backup
C:\RECYCLER\NPROTECT\00043954.exe -> Downloader.Agent.td : Cleaned with backup
C:\RECYCLER\NPROTECT\00044138.exe -> Downloader.Agent.td : Cleaned with backup
C:\RECYCLER\NPROTECT\00044363.exe -> Downloader.Agent.td : Cleaned with backup
C:\RECYCLER\NPROTECT\00045188.exe -> Downloader.Agent.td : Cleaned with backup
C:\RECYCLER\NPROTECT\00045190.exe -> Downloader.Agent.td : Cleaned with backup
C:\RECYCLER\NPROTECT\00045602.exe -> Downloader.Agent.td : Cleaned with backup


::Report End

#5 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 03 January 2006 - 02:04 AM

TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose Yes at the Warning prompt.
  • Expand the Tools menu.
  • Click Resident.
  • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
  • In the File menu click Exit to exit Spybot Search & Destroy.
* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {11C69DE3-708A-E113-91B6-1794F43DD7B7} - C:\WINDOWS\system32\ipkc.dll (file missing)
O2 - BHO: Class - {3585FF78-2F11-FF4A-2596-1DF8EA166C87} - C:\WINDOWS\system32\javaxz32.dll (file missing)
O2 - BHO: Class - {83E737CF-4567-17A1-95AF-D5FC7653A2E0} - C:\WINDOWS\system32\atljz.dll (file missing)
O2 - BHO: Class - {D1CD1D3E-77D8-5E66-C7CC-DEDD603B06F6} - C:\WINDOWS\system32\crmx.dll (file missing)
O4 - HKLM\..\Run: [crdk.exe] C:\WINDOWS\crdk.exe
O4 - HKLM\..\Run: [263.tmp] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
O4 - HKLM\..\Run: [264.tmp] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\264.tmp.exe
O4 - HKLM\..\Run: [263.tmp.exe] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\263.tmp.exe
O4 - HKLM\..\Run: [264.tmp.exe] C:\DOCUME~1\JENNYL~1\LOCALS~1\Temp\264.tmp.exe
O4 - HKLM\..\Run: [winxp.exe] C:\WINDOWS\winxp.exe
O4 - HKLM\..\Run: [iepa.exe] C:\WINDOWS\system32\iepa.exe
O4 - HKLM\..\Run: [atlph.exe] C:\WINDOWS\system32\atlph.exe
O4 - HKLM\..\Run: [apixn32.exe] C:\WINDOWS\system32\apixn32.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)



* * * * * *

Delete the contents of this folder, leaving it empty:

C:\Program Files\Norton AntiVirus\Quarantine\



Please reboot your computer before posting a new HJT log. Let me know if you still have other issues.


#6 Wildebeast

Wildebeast
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 03 January 2006 - 07:36 PM

I disabled teatimer and ran another HijackThis fix. Computer seems to be running fine although when I rebooted, I did see a bubble pop up from the task bar saying something like "warning norton antivirus is disabled you may have a virus" or something along those lines, but it disappeared. Other than this, everything seems to be running fine. Below is the latest hijackthis log. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 7:27:06 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://itdev.gmu.edu/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#7 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 04 January 2006 - 02:53 AM

I did see a bubble pop up from the task bar saying something like "warning norton antivirus is disabled you may have a virus" or something along those lines, but it disappeared


Let's test if Norton Antivirus is really disabled. Please go to this webpage

http://www.eicar.org/anti_virus_test_file.htm

Locate & download eicar.com. If Norton is active, it should detect the file.

Let me know how that went

Edited by sUBs, 04 January 2006 - 02:53 AM.


#8 Wildebeast

Wildebeast
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 04 January 2006 - 06:50 PM

I downloaded it and Norton detected it. Silly question, but when it asks me to run it should I do so?

#9 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 05 January 2006 - 02:27 AM

I downloaded it and Norton detected it. Silly question, but when it asks me to run it should I do so?

Sorry..but I dont quite understand your last comment.

Run what?

#10 Wildebeast

Wildebeast
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 05 January 2006 - 09:10 PM

I'm sorry, I meant that when I clicked to download eicar.com I got a message saying that Norton was detecting it. Is this was what we were trying to determine, whether Norton would detect it? The next window popped up asking if I wanted to run the file or save the file. At this point I clicked cancel. Should I have actually tried to run eicar?

#11 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 06 January 2006 - 01:10 AM

Eicar is merely a test file for antivirus programs. There's no need to run it. It's okay as long as Norton detects it.

Please post a fresh HJT log so that I may verify that you're still clean.

Edited by sUBs, 06 January 2006 - 01:10 AM.


#12 Wildebeast

Wildebeast
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 07 January 2006 - 12:24 PM

I ran another HijackThis. How does it look?

Logfile of HijackThis v1.99.1
Scan saved at 12:19:12 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://itdev.gmu.edu/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#13 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 07 January 2006 - 01:38 PM

Your system is clean. Have you patched yourself against the WMF exploit yet? If not, please refer to my sig. Kindly follow these simple steps in order to keep your computer clean and secure:
  • CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  • DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  • FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  • Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  • SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  • IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day. Posted Image

Please respond to this thread one more time so we can mark this thread as resolved.

#14 Wildebeast

Wildebeast
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 08 January 2006 - 08:31 PM

Thank you very much for all of your help! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users