Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log - Analyze


  • This topic is locked This topic is locked
15 replies to this topic

#1 Erica6924

Erica6924

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Fort Wayne, In
  • Local time:06:02 PM

Posted 11 January 2006 - 12:35 AM

My computer and.. Internet has been running really slow. I went to housecall, scanned my computer and it found a worm and some other spyware. Honestly I dont remember the name of the worm. I clicked on "delete/clean" blah blah but it crashed my computer. I ran it a second time and IE (it wouldnt work for some reason with my firefox) errored on me and said somethin about having an error with the system memory. I tried a 3rd time, got it to go through and deleted/fixed any problems housecall found.
I scanned with adaware/spybot/Stinger/ and AVG And it all came up clean.. I also deleted all the cookies and temp internet files. Heres the log file from HJT Could you please check and see if everything seems okay? Even after cleanin up the computer a bit,, It still seems to be having the same problem and running slow. ... really slow.

Logfile of HijackThis v1.99.1
Scan saved at 12:25:42 AM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105476429203
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 17 January 2006 - 05:31 AM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Something that requires your immediate intervention. I notice that you have more than one anti-virus programs on your machine (McAfee & Symentec). That's not a good idea!! Posted Image

This messes up the machine pretty badly. Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce undesirable results. Please uninstall ALL leaving only one of them.

ALL the antivirus programs must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order.

Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable AdWatch:
  • Open AdAware SE.
  • Go to AdWatch User Interface.
  • Go to Tools and Preferences.
  • At the bottom of the screen you will see 2 options Active and Automatic.
  • Active: This will turn Ad-Watch On\Off without closing it
  • Automatic: Suspicious activity will be blocked automatically
  • Uncheck both options. You can enable these after resolving your problem.
  • Unless they are turned off they could interfere with the fix by HijackThis.
* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML



* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • Viewpoint
Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Program Files\Viewpoint
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#3 Erica6924

Erica6924
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Fort Wayne, In
  • Local time:06:02 PM

Posted 17 January 2006 - 04:59 PM

Hello sUBs! Thanks for your time and help. I did everything you said.. I looked for mcafee and couldnt find it?? There was nothing in the add/remove programs, and there also werent any program folders anywhere on the computer..And i couldnt even find the actual install file? But besides that I did everything you said.

When i went into add/remove programs and tried to delete all the viewpoint things it came up with an error saying: "Uninstaller error.. Error occured while trying to remove Viewpoint.. This may have already been uninstalled" So, I'm assuming i already deleted it somehow.. I did remove it from the add/remove programs list though.

When i searched for the following files/folders:
C:\Program Files\Viewpoint No files were found

I ran CleanUp and it freed up 741MB (lots of junk on my computer)

Everything seems to be running OK so far.. My ping on ventrillo is back to normal for the most part.. Its still a little high at times but not like it was ..occassionally it jumps sky high and everything on my computer just goes to crap for a few.. but not like it was, and the internet and my computer seem to be less laggy.
Ewido did find quite a few things wrong though
Here is the HJT log, ewido, and the online scan

Logfile of HijackThis v1.99.1
Scan saved at 4:46:52 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105476429203
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 17, 2006 16:46:07
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/01/2006
Kaspersky Anti-Virus database records: 171615
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 92835
Number of viruses found: 9
Number of infected objects: 40
Number of suspicious objects: 0
Duration of the scan process: 4899 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-174a0145.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-174a0145.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5de14766.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5de14766.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\My Documents\BSINSTALL.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Documents and Settings\Administrator\My Documents\BSINSTALL.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Documents and Settings\Administrator\My Documents\BSINSTALL.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Documents and Settings\Administrator\My Documents\BSINSTALL.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\Administrator\My Documents\BSINSTALL.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\Administrator\My Documents\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Documents and Settings\Administrator\My Documents\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08240000.VBN Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\083C0001.VBN Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\083C0002.VBN Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\083C0003.VBN Infected: Exploit.Java.ByteVerify
C:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Program Files\BearShare\Installer\BSINSTALL.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Program Files\Microsoft AntiSpyware\Quarantine\9D440E0E-51DE-49AA-940F-5D7A60\76FD0687-ECB0-4FB3-AECB-84DEC5/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Program Files\Microsoft AntiSpyware\Quarantine\9D440E0E-51DE-49AA-940F-5D7A60\76FD0687-ECB0-4FB3-AECB-84DEC5/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Program Files\Microsoft AntiSpyware\Quarantine\9D440E0E-51DE-49AA-940F-5D7A60\76FD0687-ECB0-4FB3-AECB-84DEC5/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Program Files\Microsoft AntiSpyware\Quarantine\9D440E0E-51DE-49AA-940F-5D7A60\76FD0687-ECB0-4FB3-AECB-84DEC5/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Program Files\Microsoft AntiSpyware\Quarantine\9D440E0E-51DE-49AA-940F-5D7A60\76FD0687-ECB0-4FB3-AECB-84DEC5 Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{111F39AB-71E5-4124-BC47-7458CF2EEC17}\RP102\A0020892.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{111F39AB-71E5-4124-BC47-7458CF2EEC17}\RP102\A0020892.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{111F39AB-71E5-4124-BC47-7458CF2EEC17}\RP102\A0020892.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{111F39AB-71E5-4124-BC47-7458CF2EEC17}\RP102\A0020892.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{111F39AB-71E5-4124-BC47-7458CF2EEC17}\RP102\A0020892.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{111F39AB-71E5-4124-BC47-7458CF2EEC17}\RP102\A0020996.exe/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{111F39AB-71E5-4124-BC47-7458CF2EEC17}\RP102\A0020996.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{111F39AB-71E5-4124-BC47-7458CF2EEC17}\RP102\A0020996.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{111F39AB-71E5-4124-BC47-7458CF2EEC17}\RP85\A0017299.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bi
C:\System Volume Information\_restore{111F39AB-71E5-4124-BC47-7458CF2EEC17}\RP99\A0019750.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bi

Scan process completed.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:11:23 PM, 1/17/2006
+ Report-Checksum: E0AB8C8E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-73586283-1364589140-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-73586283-1364589140-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5AA06644-BC46-4220-A460-47A6EB47C96D} -> Spyware.NavExcel : Cleaned with backup
HKU\S-1-5-21-73586283-1364589140-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-73586283-1364589140-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} -> Spyware.NavExcel : Cleaned with backup
HKU\S-1-5-21-73586283-1364589140-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D80C4E21-C346-4E21-8E64-20746AA20AEB} -> Spyware.NavExcel : Cleaned with backup
HKU\S-1-5-21-73586283-1364589140-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9D440E0E-51DE-49AA-940F-5D7A60\7069B955-B251-4093-96C5-516968 -> Adware.SaveNow : Cleaned with backup


::Report End

-Erica

#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 17 January 2006 - 05:19 PM

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.

Right click on this & select 'Save As' - DNSManual.bat
Doubleclick on DNSManual.bat & allow it to run.

SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-174a0145.zip
    C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5de14766.zip
    C:\Documents and Settings\Administrator\My Documents\BSINSTALL.exe
    C:\Program Files\BearShare\Installer\BSINSTALL.exe
Delete the contents of these folders, leaving the empty
  • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\
    C:\Program Files\Microsoft AntiSpyware\Quarantine\
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Reboot/logoff if prompted.


Post a new log & let me know if you still have other issues.

#5 Erica6924

Erica6924
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Fort Wayne, In
  • Local time:06:02 PM

Posted 17 January 2006 - 05:51 PM

Hey sUBs,
Everything seems to be working a lot better now,, Still have a bit of laggyness But that might just be because theres 6 computers hooked up to this network :thumbsup:
Heres a copy of the new HJT logfile

Logfile of HijackThis v1.99.1
Scan saved at 5:46:35 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105476429203
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#6 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 17 January 2006 - 05:55 PM

Our work is done. Your system is clean.

Have you patched yourself against the WMF exploit yet? If not, please refer to my sig. Kindly follow these simple steps in order to keep your computer clean and secure:
  • CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  • DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  • FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  • Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day. Posted Image

Please respond to this thread one more time so we can mark this thread as resolved.

#7 Erica6924

Erica6924
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Fort Wayne, In
  • Local time:06:02 PM

Posted 17 January 2006 - 06:14 PM

Hey sUBs,
Thanks for everything! I downloaded a few of the suggested items so hopefully everything goes well for a while now!

Thanks again,
Erica

#8 Erica6924

Erica6924
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Fort Wayne, In
  • Local time:06:02 PM

Posted 22 January 2006 - 06:11 PM

Round 2. I just deleted a worm and some malware that xoftspy found .. Ran Hijack this.. Could you see if it looks ok?
It said Vendor - Mirar But thats really all the info it gave besides the fact that its located software\microsoft\windows\currentversion\internet settings

Anyway it said it deleted it just wanting to make sure everything checks out ok. Heres a copy of the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 6:03:31 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105476429203
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#9 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 22 January 2006 - 10:17 PM

May I have the log from your online scan? The log is appearing clean.

#10 Erica6924

Erica6924
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Fort Wayne, In
  • Local time:06:02 PM

Posted 22 January 2006 - 11:14 PM

This was the log from xoftspy
It seems that the problem has cleared up.. So i guess i'm okay?

<?xml version = "1.0"?>
<Session START = "22 Jan 06 15:54:26" END = "22 Jan 06 18:02:05">
<Information Version = "4.21" DatabaseVersion = "142" DataBaseDate = "10 JAN 2006"/>
<Information OS = "Win XP"/>
<Information ServicePack = "Service Pack 2"/>
<Information WorkingDirectory = "C:\Program Files\XoftSpy\"/>
<Information Option = "AdvSpyware Scan" State = "ON"/>
<Information Option = "Scan IE Favorites" State = "ON"/>
<Information Option = "Scan Host Files" State = "ON"/>
<Information Option = "Scan Drives" State = "ON"/>
<Information Option = "Do Not Scan Executables" State = "OFF"/>
<Information Option = "Scan Registry" State = "ON"/>
<Information Option = "Scan Active Processes" State = "ON"/>
<Information Option = "Automatic Database Update" State = "ON"/>
<Information Option = "Automatic Program Update" State = "ON"/>
<Information Option = "Automatic Removal" State = "OFF"/>
<Information Option = "Exit When Finished" State = "OFF"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/>
<Information Value = "SoundMan" Data = "SOUNDMAN.EXE" MD5 = "0303683d59216a82b316ce64c837d2d9" Path = "C:\WINDOWS\SOUNDMAN.EXE"/>
<Information Value = "AWMON" Data = "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" MD5 = "ed7f4140bc9f05781355c2a36d0ad37c" Path = ""/>
<Information Value = "IgfxTray" Data = "C:\WINDOWS\system32\igfxtray.exe" MD5 = "17e216c3b7f4ad39826c219d597bbf03" Path = ""/>
<Information Value = "HotKeysCmds" Data = "C:\WINDOWS\system32\hkcmd.exe" MD5 = "d7acbc053673f37505b6e2b3c4444f74" Path = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"/>
<Information Value = "Userinit" Data = "C:\WINDOWS\system32\userinit.exe,"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"/>
<Information Value = "Shell" Data = "Explorer.exe"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<Information Value = "load" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<Information Value = "AppInit_DLLs" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"/>
<Information Value = "PostBootReminder" Data = "{7849596a-48ea-486e-8937-a2a3009f31a9}"/>
<Information Value = "CDBurn" Data = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"/>
<Information Value = "WebCheck" Data = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"/>
<Information Value = "SysTray" Data = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler"/>
<Information Value = "{438755C2-A8BA-11D1-B96B-00A0C90312E1}" Data = "Browseui preloader"/>
<Information Value = "{8C7461EF-2B13-11d2-BE35-3078302C2030}" Data = "Component Categories cache daemon"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\OLE"/>
<Information Value = "DefaultLaunchPermission" Data = ""/>
<Information Value = "MachineLaunchRestriction" Data = ""/>
<Information Value = "MachineAccessRestriction" Data = ""/>
<Information Value = "EnableDCOM" Data = "Y"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\Main"/>
<Information Value = "NoUpdateCheck" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "NoJITSetup" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "Cache_Update_Frequency" Data = "Once_Per_Session"/>
<Information Value = "Do404Search" Data = ""/>
<Information Value = "Local Page" Data = "C:\WINDOWS\system32\blank.htm"/>
<Information Value = "Start Page" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"/>
<Information Value = "Search Page" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"/>
<Information Value = "HistoryViewType" Data = ""/>
<Information Value = "AutoSearch" Data = "(DWORD) 0x4 0 0 0"/>
<Information Value = "Window_Placement" Data = ""/>
<Information Value = "Use Custom Search URL" Data = "(DWORD) 0x1 0 0 0"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Main"/>
<Information Value = "Default_Page_URL" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"/>
<Information Value = "Default_Search_URL" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"/>
<Information Value = "Search Page" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"/>
<Information Value = "Cache_Percent_of_Disk" Data = ""/>
<Information Value = "Local Page" Data = ""/>
<Information Value = "Anchor_Visitation_Horizon" Data = ""/>
<Information Value = "Placeholder_Width" Data = ""/>
<Information Value = "Placeholder_Height" Data = ""/>
<Information Value = "Start Page" Data = "http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"/>
<Information Value = "CompanyName" Data = "Microsoft Corporation"/>
<Information Value = "Custom_Key" Data = "MICROSO"/>
<Information Value = "Wizard_Version" Data = "6.0.2600.0000"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Search"/>
<Information Value = "SearchAssistant" Data = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"/>
<Information Value = "CustomizeSearch" Data = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"/>
<Information Value = "CustomSearch" Data = "http://red.clientapps.yahoo.com/customize/ie/defaults/cs/ymsgr6/*http://www.yahoo.com/ext/search/search.html"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\SearchURL"/>
<Information Value = "provider" Data = ""/>
<Information Value = "" Data = ""/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\URLSearchHooks"/>
<Information Value = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Toolbar"/>
<Information Value = "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" Data = ""/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\Toolbar"/>
<Information Value = "LinksFolderName" Data = "Links"/>
<Information Value = "Locked" Data = "(DWORD) 0 0 0 0"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\exefile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\comfile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\batfile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\piffile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\scrfile\shell\open\command"/>
<Information Value = "" Data = "%1 /S"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\htafile\shell\open\command"/>
<Information Value = "" Data = "C:\WINDOWS\system32\mshta.exe %1 %*" MD5 = "c4445bd306656ade30900e6197fabed1" Path = ""/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings"/>
<Information Value = "ProxyEnable" Data = "(DWORD) 0 0 0 0"/>
<Information Directory = "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\*" Program = "desktop.ini" MD5 = "d6a6856702e3f0953e7246a9b4a9fe35" />
<Information Directory = "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\*" Program = "ERUNT AutoBackup.lnk" LinkFile = "C:\Program Files\ERUNT\AUTOBACK.EXE" MD5 = "e00de20f0f6bed5cd2160247ddc9443b"/>
<Information Directory = "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\*" Program = "Microsoft Office OneNote 2003 Quick Launch.lnk" LinkFile = "C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE" MD5 = "028d53c3fede8771d9ccb56287965984"/>
<Information Directory = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*" Program = "Adobe Gamma Loader.lnk" LinkFile = "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" MD5 = "c2ff17734176cd15221c10044ef0ba1a"/>
<Information Directory = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*" Program = "desktop.ini" MD5 = "d6a6856702e3f0953e7246a9b4a9fe35" />
<Scanning TIME = "22 Jan 06 15:54:26">
<PROCESS NAME = "C:\WINDOWS\system32\services.exe" MD5 = "c6ce6eec82f187615d1002bb3bb50ed4"/>
<PROCESS NAME = "C:\WINDOWS\system32\lsass.exe" MD5 = "84885f9b82f4d55c6146ebf6065d75d2"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" MD5 = "bd565b4456dbce6e02182f35586fd5bf"/>
<PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" MD5 = "08d26906c74805bee8deca4c7be8c7f5"/>
<PROCESS NAME = "C:\WINDOWS\system32\spoolsv.exe" MD5 = "da81ec57acd4cdc3d4c51cf3d409af9f"/>
<PROCESS NAME = "C:\Program Files\Symantec AntiVirus\DefWatch.exe" MD5 = "a3985a8ded49f67e3e25d2d2921b4dac"/>
<PROCESS NAME = "C:\Program Files\ewido anti-malware\ewidoctrl.exe" MD5 = "26830b750372ab1bf29c95deebeb802f"/>
<PROCESS NAME = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" MD5 = "11f714f85530a2bd134074dc30e99fca"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" MD5 = "91c4579e77abdfac02c16e0d0736123e"/>
<PROCESS NAME = "C:\WINDOWS\system32\wdfmgr.exe" MD5 = "c81b8635dee0d3ef5f64b3dd643023a5"/>
<PROCESS NAME = "C:\WINDOWS\System32\alg.exe" MD5 = "f1958fbf86d5c004cf19a5951a9514b7"/>
<PROCESS NAME = "C:\WINDOWS\Explorer.EXE" MD5 = "a0732187050030ae399b241436565e64"/>
<PROCESS NAME = "C:\WINDOWS\SOUNDMAN.EXE" MD5 = "0303683d59216a82b316ce64c837d2d9"/>
<PROCESS NAME = "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" MD5 = "ed7f4140bc9f05781355c2a36d0ad37c"/>
<PROCESS NAME = "C:\WINDOWS\system32\igfxtray.exe" MD5 = "17e216c3b7f4ad39826c219d597bbf03"/>
<PROCESS NAME = "C:\WINDOWS\system32\hkcmd.exe" MD5 = "d7acbc053673f37505b6e2b3c4444f74"/>
<PROCESS NAME = "C:\Program Files\Ventrilo\Ventrilo.exe" MD5 = "93217887413bd3371c76b53b06e5317e"/>
<PROCESS NAME = "C:\Program Files\MSN Messenger\msnmsgr.exe" MD5 = "59e6b431faf166923c93f32d1fb9aaa4"/>
<PROCESS NAME = "C:\WINDOWS\system32\ctfmon.exe" MD5 = "24232996a38c0b0cf151c2140ae29fc8"/>
<PROCESS NAME = "C:\Program Files\AIM\aim.exe" MD5 = "7ead56abf649aa78cc4036548c3f1e18"/>
<PROCESS NAME = "C:\Program Files\XoftSpy\XoftSpy.exe" MD5 = "14a25102642960b794b4cf5981b2c341"/>
<ScanningRegKeys>
</SW>
<SW NAME = "ISTBar">
<REGKEYFOUND NAME = "software\microsoft\windows\currentversion\internet settings\zonemap\domains\contentmatch.net"/>
<REGKEY NAME = "ISTBar software\microsoft\windows\currentversion\internet settings\zonemap\domains\contentmatch.net"/>
</SW>
<SW NAME = "Mirar">
<REGKEYFOUND NAME = "software\microsoft\windows\currentversion\internet settings\zonemap\domains\net-nucleus.com"/>
<REGKEY NAME = "Mirar software\microsoft\windows\currentversion\internet settings\zonemap\domains\net-nucleus.com"/>
</ScanningRegKeys>
<ScanningRegValues>
</ScanningRegValues>
<ScanningRegValuesChanged>
</ScanningRegValuesChanged>
</Scanning>

<Information Message = "Starting to Quarantine 2 Items"/>
<Quarantines>
<QTFILE PATH = "C:\Program Files\XoftSpy\Quarantine\Quarantine22-01-2006-18-01-48.xpy" />
<INFO ACTION = "Added"/>
<INFO TIME = "22-01-2006-18-01-48"/>
<REGKEY RES = "Exporting - software\microsoft\windows\currentversion\internet settings\zonemap\domains\contentmatch.net"/>
<REGKEY RES = "Exporting - software\microsoft\windows\currentversion\internet settings\zonemap\domains\net-nucleus.com"/>
</Quarantines>
<QInformation Message = "Quarantining File REG BACKUP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\regbackup.reg"/>
<Removal>
<SW NAME = "ISTBar">
<REGKEY NAME = "software\microsoft\windows\currentversion\internet settings\zonemap\domains\contentmatch.net"/>
<REGKEY RES = "Successfully ReMoved"/>
</SW>
<SW NAME = "Mirar">
<REGKEY NAME = "software\microsoft\windows\currentversion\internet settings\zonemap\domains\net-nucleus.com"/>
<REGKEY RES = "Successfully ReMoved"/>
</SW>
</Removal>
</Session>

#11 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 22 January 2006 - 11:30 PM

Lol...do you have anything that's easier to read? Those 2 reg entries appear to be false positives. You're still clean...machine wise :thumbsup:

Edited by sUBs, 22 January 2006 - 11:31 PM.


#12 Erica6924

Erica6924
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Fort Wayne, In
  • Local time:06:02 PM

Posted 22 January 2006 - 11:49 PM

lol well if you say it looks ok then i'm not gonna bother posting anything else :thumbsup:
It seems to be doin fine after i clicked "delete" lol
Just making sure HJT didnt show anything else that it might have missed.
Thanks for your time... again..

I could always scan with ewido or somethin But if you think its fine, then i wont bother.

#13 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 22 January 2006 - 11:53 PM

Feel free to use Ewido. It's wise to use it periodically to ensure that your machine is clean. .. just like soap

#14 Erica6924

Erica6924
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Fort Wayne, In
  • Local time:06:02 PM

Posted 23 January 2006 - 01:45 AM

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:42:40 AM, 1/23/2006
+ Report-Checksum: 5B08CE33

+ Scan result:

:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ofy2lh5r.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup


::Report End

#15 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 23 January 2006 - 01:47 AM

Nothing but cookies. You have nothing to worry about. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users