Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

(0xc0000022) Error With Hjtlog Dasnootz


  • Please log in to reply
4 replies to this topic

#1 dasnootz

dasnootz

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 17 January 2006 - 11:50 AM

I started my computer this morning to find that SpySheriff had installed instelf. I used my AVG antivirus software and SpyBot S&D to get rid of it, but now when I start windows up I get:

Exporer:
The application failed to initialize properly (0XC0000022).

Now I can only start in Safe Mode.

Here is my HJT log... can anyone help me make sense of this?

Logfile of HijackThis v1.99.1
Scan saved at 11:43:22 AM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nnymls.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.rentmanager.com/demo/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A07EC7E-FF1B-49B4-A97C-CE4193CBC919}: NameServer = 24.92.226.11,24.92.226.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A07EC7E-FF1B-49B4-A97C-CE4193CBC919}: NameServer = 24.92.226.11,24.92.226.12
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

Edited by dasnootz, 17 January 2006 - 11:51 AM.


BC AdBot (Login to Remove)

 


#2 dasnootz

dasnootz
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 19 January 2006 - 08:08 AM

Bump.

Anyone?.... Please.

#3 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:51 AM

Posted 21 January 2006 - 08:22 AM

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#4 dasnootz

dasnootz
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 23 January 2006 - 10:37 AM

Thank you so much for the help. I've run everything as described, and here are the appropriate log files.

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 10:31:48 AM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nnymls.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.rentmanager.com/demo/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A07EC7E-FF1B-49B4-A97C-CE4193CBC919}: NameServer = 24.92.226.11,24.92.226.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A07EC7E-FF1B-49B4-A97C-CE4193CBC919}: NameServer = 24.92.226.11,24.92.226.12
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
---------------------------------------------------------------------------------------------------------------------




ACTIVE SCAN:

Incident Status Location

Virus:Trj/ClassLoader.U Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-2541a034-345c9f12.zip[BlackBox.class]
Virus:Trj/ClassLoader.V Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-2541a034-345c9f12.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-2541a034-345c9f12.zip[Dummy.class]
Virus:Trj/Downloader.HAS Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-2541a034-345c9f12.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1c168a63-7815b582.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1c168a63-7815b582.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1c168a63-7815b582.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1c168a63-7815b582.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-34c8c170.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-34c8c170.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-34c8c170.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-290ed5ef-34c8c170.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv545.jar-40249780-164b188d.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv545.jar-40249780-164b188d.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv545.jar-40249780-164b188d.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv545.jar-40249780-164b188d.zip[Parser.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-6ca749fa.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-6ca749fa.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-6ca749fa.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-6ca749fa.zip[Installer.class]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ask[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@belnk[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ccbill[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@dist.belnk[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@kinghost[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@webpower[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@yadro[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\smitRem\Process.exe
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Important Notification\information.zip[information.doc .scr]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\IMPORTANT NOTIFICATION\information.zip[information.txt .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Security measures\instructions.zip[instructions.txt .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\YOUR EMAIL ACCOUNT IS SUSPENDED FOR SECURITY REASONS\information.zip[information.doc .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\*WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED\email-info.zip[email-info.txt .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Your Email Account is Suspended For Security Reasons\document.zip[document.doc .scr]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Account Alert\email-info.zip[email-info.doc .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\*DETECTED* Online User Violation\account-details.zip[account-details.doc .scr]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Important Notification\account-details.zip[account-details.doc .scr]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Account Alert\email-info.zip[email-info.doc .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\*DETECTED* Online User Violation\instructions.zip[instructions.htm .scr]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Important Notification\htf.zip[htf.htm .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Email Account Suspension\document.zip[document.htm .pif]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\nqrjdbjj\email-doc.zip[email-doc.htm .scr]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Important Notification\jhnu.zip[jhnu.htm .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Account Alert\info-text.zip[info-text.htm .scr]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Important Notification\info-text.zip[info-text.txt .pif]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Account Alert\information.zip[information.doc .pif]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\*WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED\information.zip[information.htm .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\*DETECTED* Online User Violation\email-info.zip[email-info.txt .scr]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\*WARNING* Your Email Account Will Be Closed\email-info.zip[email-info.txt .scr]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Account Alert\information.zip[information.txt .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\*DETECTED* ONLINE USER VIOLATION\email-info.zip[email-info.htm .scr]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Your Email Account is Suspended For Security Reasons\fjti.zip[fjti.doc .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\Important Notification\information.zip[information.txt .exe]
Virus:W32/Mytob.DW.worm Disinfected Personal Folders\Inbox\IMPORTANT NOTIFICATION\email-info.zip[email-info.txt .exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-1147306578-658980445-1909168228-500\Dc1.exe[Process.exe]
---------------------------------------------------------------------------------------------------------------------


EWIDO REPORT:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:54:01 AM, 1/23/2006
+ Report-Checksum: 870364B2

+ Scan result:

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-352f55f0-24839d8c.class -> Downloader.OpenStream.y : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@clickthrough.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@rotator.dex.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@thunderbolt.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP425\A0078245.exe -> Trojan.LowZones.df : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP425\A0078246.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP425\A0078247.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP425\A0078248.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP425\A0078249.exe -> Trojan.LowZones.df : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP425\A0078253.dll -> Trojan.Small.ev : Cleaned with backup


::Report End

---------------------------------------------------------------------------------------------------------------------


SMITFILES.TXT

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 01/23/2006
The current time is: 9:17:33.34

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key

WinHound.com key present!



Running WinHound.com fix!



WinHound.com key was successfully removed! :thumbsup:

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Winhound


~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

warnhp.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1592 'explorer.exe'
Killing PID 1592 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

wininet.dll INFECTED!! :flowers: Starting replacement procedure.


~~~~ Looking for C:\WINNT\system32\dllcache\wininet.dll ~~~~


~~~~ dllcache\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINNT\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~


~~~~ C:\WINNT\$hf_mig$\KB890923\SP2QFE Present! ~~~~


~~~~ Checking KB890923\SP2QFE\wininet.dll for infection ~~~~


~~~~ KB890923\SP2QFE Clean! ~~~~

~~~ Replaced wininet.dll from KB890923\SP2QFE ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINNT\system32\wininet.dll for infection ~~~~


~~~~ C:\WINNT\system32\wininet.dll Clean! :huh: ~~~~

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:51 AM

Posted 23 January 2006 - 04:03 PM

Click Here to download Killbox by Option^Explicit.
Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
c:\recycler

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.

Run please the Panda online scan again and post the log.

Run HijackThis! again and post a new log please.


You had many infected emails. Is your antivirus set to scan incoming emails ?

Also you should keep Sun Java always up-to-date.
Install the latest version: http://www.java.com/en/download/manual.jsp

Edited by Daisuke, 23 January 2006 - 04:03 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users