Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Internet Doesn't Start At All


  • Please log in to reply
6 replies to this topic

#1 Whut

Whut

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 19 March 2006 - 07:54 AM

I can surf for about a minute after re-enabling my network connection. Can anyone tell me what's wrong?


Logfile of HijackThis v1.99.1
Scan saved at 22:19:02, on 18/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\desktop.exe
C:\WINDOWS\system32\msrr\msrr.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
G:\Downloaded Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\ifinger\plugins\IE.ifp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GMTcheck] C:\WINDOWS\system32\msrr\msrh.exe C:\WINDOWS\system32\msrr\msrr.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: iFinger 2.1.lnk = C:\Program Files\ifinger\iFinger.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\System32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142096126464
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142098007284
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E05D92D-92EC-4146-85EA-FDFCA8649803}: NameServer = 213.42.20.20,195.229.241.222
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Gates Hell (Gates) - Unknown owner - C:\WINDOWS\System32\BillG.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: PC-cillin Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe

BC AdBot (Login to Remove)

 


m

#2 Whut

Whut
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 19 March 2006 - 07:58 AM

I don't know if I'm allowed to do this here but it's part of the problem. There's all these processes running when I checked in cmd.

Posted Image

#3 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 20 March 2006 - 10:34 AM

I don't know if this file is still on your computer, but if it is I would like you to submit it:

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "put file path here"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:
    • C:\WINDOWS\System32\BillG.exe
  • Click Open.
  • Click Post.
Thank you!

--------------------------

1. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
2. Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

3. Start HijackThis and perform a new scan.

4. Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#4 Whut

Whut
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 26 March 2006 - 02:38 PM

Thanks for replying. I wish I'd posted this sooner. I was away for awhile and meanwhile my dad uninstalled pc cillin and installed Norton and for whatever reason my net is working. So will the culprit show up this time I don't know. But it's still slow.

err.. I couldn't find

C:\WINDOWS\System32\BillG.exe

so I didn't post that on the spy killer...

Here's the results.







Incident Status Location

Potentially unwanted tool:application/errorguard Not disinfected C:\PROGRAM FILES\ErrorGuard
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Horus\Cookies\horus@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Horus\Cookies\horus@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Horus\Cookies\horus@bluestreak[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Horus\Cookies\horus@c5.zedo[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Horus\Cookies\horus@ccbill[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Horus\Cookies\horus@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Horus\Cookies\horus@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Horus\Cookies\horus@fastclick[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Horus\Cookies\horus@fortunecity[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Horus\Cookies\horus@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Horus\Cookies\horus@hitbox[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Horus\Cookies\horus@maxserving[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Horus\Cookies\horus@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Horus\Cookies\horus@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Horus\Cookies\horus@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Horus\Cookies\horus@questionmarket[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Horus\Cookies\horus@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Horus\Cookies\horus@tribalfusion[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Horus\Cookies\horus@valueclick[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Horus\Cookies\horus@zedo[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Horus\Cookies\horus@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Horus\Cookies\horus@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Horus\Cookies\horus@bluestreak[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Horus\Cookies\horus@c5.zedo[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Horus\Cookies\horus@ccbill[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Horus\Cookies\horus@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Horus\Cookies\horus@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Horus\Cookies\horus@fastclick[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Horus\Cookies\horus@fortunecity[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Horus\Cookies\horus@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Horus\Cookies\horus@hitbox[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Horus\Cookies\horus@maxserving[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Horus\Cookies\horus@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Horus\Cookies\horus@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Horus\Cookies\horus@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Horus\Cookies\horus@questionmarket[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Horus\Cookies\horus@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Horus\Cookies\horus@tribalfusion[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Horus\Cookies\horus@valueclick[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Horus\Cookies\horus@zedo[1].txt
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Potentially unwanted tool:Application/PrcView.A Not disinfected C:\winnt\system32\Lavan\Libparse.exe
Potentially unwanted tool:Application/Psexec.A Not disinfected C:\winnt\system32\Lavan\psexec.exe
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\winnt\system32\Lavan\RedBull.EXE
Potentially unwanted tool:Application/ToolWget Not disinfected C:\winnt\system32\Lavan\wget.exe
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\winnt\system32\Lavan\winIogon.exe
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\winnt\system32\Lavan\xsys.dll
Virus:W32/Dumaru.V.worm Disinfected C:\wmplayer.exe











-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, March 26, 2006 6:04:36 AM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 25/03/2006
Kaspersky Anti-Virus database records: 183976
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 60899
Number of viruses found: 20
Number of infected objects: 64
Number of suspicious objects: 0
Duration of the scan process: 03:22:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Horus\Local Settings\Temp\nsj3D.tmp/data0002/stream/data0001 Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nsj3D.tmp/data0002/stream Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nsj3D.tmp/data0002 Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nsj3D.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nss46.tmp/data0002/stream/data0001 Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nss46.tmp/data0002/stream Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nss46.tmp/data0002 Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nss46.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nsy132.tmp/data0002/stream/data0001 Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nsy132.tmp/data0002/stream Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nsy132.tmp/data0002 Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Documents and Settings\Horus\Local Settings\Temp\nsy132.tmp NSIS: infected - 3 skipped
C:\Program Files\ARPR\arpr.exe Infected: not-a-virus:PSWTool.Win32.OEPass.b skipped
C:\Program Files\Norton AntiVirus\Quarantine\16DC56D1.exe Infected: Backdoor.Win32.Shodabot.i skipped
C:\Program Files\Norton AntiVirus\Quarantine\2A2478BD Infected: Backdoor.IRC.Zapchast skipped
C:\Program Files\Norton AntiVirus\Quarantine\2AF577D8 Infected: not-a-virus:Monitor.Win32.SpyAgent.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\3D1434C3 Infected: Trojan.BAT.Zapchast skipped
C:\Program Files\Norton AntiVirus\Quarantine\3D996E30 Infected: Trojan.BAT.Zapchast skipped
C:\Program Files\Norton AntiVirus\Quarantine\3E1F279C/data.rar/Project1.exe Infected: Trojan-Downloader.Win32.VB.xt skipped
C:\Program Files\Norton AntiVirus\Quarantine\3E1F279C/data.rar Infected: Trojan-Downloader.Win32.VB.xt skipped
C:\Program Files\Norton AntiVirus\Quarantine\3E1F279C RarSFX: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3E1F279C CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3EA2370C Infected: Trojan.BAT.Zapchast skipped
C:\Program Files\Norton AntiVirus\Quarantine\3FAE29E6 Infected: Trojan.BAT.Zapchast skipped
C:\Program Files\Norton AntiVirus\Quarantine\40346352 Infected: Trojan.BAT.Zapchast skipped
C:\Program Files\Norton AntiVirus\Quarantine\40B672C3 Infected: Trojan-Downloader.Win32.VB.xt skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002186.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002188.cfg Infected: Backdoor.IRC.Zapchast skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002191.exe/datasht.cfg Infected: Backdoor.IRC.Zapchast skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002191.exe/msrh.exe Infected: not-a-virus:RiskTool.Win32.HideRun skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002191.exe/msrr.exe Infected: Backdoor.Win32.mIRC-based skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002191.exe/nnick.mrc Infected: Backdoor.IRC.Zapchast skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002191.exe/win32.exe Infected: HackTool.Win32.XScan.23 skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002191.exe/workit.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002191.exe/xend.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002191.exe StubbieMan: infected - 7 skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002192.exe Infected: not-a-virus:RiskTool.Win32.HideRun skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002193.exe Infected: HackTool.Win32.XScan.23 skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002194.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP3\A0002195.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP6\A0009365.BAT Infected: Trojan.BAT.Zapchast skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP6\A0009366.bat Infected: Trojan.BAT.Zapchast skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP6\A0009367.exe/data.rar/Project1.exe Infected: Trojan-Downloader.Win32.VB.xt skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP6\A0009367.exe/data.rar Infected: Trojan-Downloader.Win32.VB.xt skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP6\A0009367.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP6\A0009368.bat Infected: Trojan.BAT.Zapchast skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP6\A0009369.bat Infected: Trojan.BAT.Zapchast skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP6\A0009370.bat Infected: Trojan.BAT.Zapchast skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP6\A0009372.ini Infected: Backdoor.IRC.Zapchast skipped
C:\System Volume Information\_restore{C7F6F591-8557-4489-9AC7-95DBE1B7DB2C}\RP6\A0009373.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.g skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\o Infected: Trojan-Downloader.BAT.Ftp.ag skipped
C:\winnt\system32\Lavan\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
C:\winnt\system32\Lavan\RedBull.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 skipped
C:\winnt\system32\Lavan\winIogon.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 skipped
E:\reuben\Iommi\John\Anton Maiden\CNET-audiogalaxy0605.exe/fsg-ag.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
E:\reuben\Iommi\John\Anton Maiden\CNET-audiogalaxy0605.exe ViseMan: infected - 1 skipped
E:\reuben\Iommi\John\Anton Maiden\CNET-audiogalaxy0605.exe ViseMan: infected - 1 skipped
G:\MADMAX\INSTALLERS\Misc\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
G:\MADMAX\INSTALLERS\Misc\vnc-3.3.3r9_x86_win32.zip ZIP: infected - 1 skipped
G:\MADMAX\DOCS-dennis\ZoomTech\tools\tftpd32e\tftpd32.exe Infected: not-a-virus:Server-FTP.Win32.Tftpd.b skipped
G:\System Volume Information\_restore{74B09654-D077-476B-8623-FB0E45847A16}\RP14\A0001909.exe/fsg-ag.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
G:\System Volume Information\_restore{74B09654-D077-476B-8623-FB0E45847A16}\RP14\A0001909.exe ViseMan: infected - 1 skipped
G:\System Volume Information\_restore{74B09654-D077-476B-8623-FB0E45847A16}\RP14\A0001909.exe ViseMan: infected - 1 skipped

Scan process completed.






Logfile of HijackThis v1.99.1
Scan saved at 16:30:09, on 26/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Messenger\msmsgs.exe
G:\Downloaded Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GMTcheck] C:\WINDOWS\system32\msrr\msrh.exe C:\WINDOWS\system32\msrr\msrr.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142096126464
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142098007284
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E05D92D-92EC-4146-85EA-FDFCA8649803}: NameServer = 213.42.20.20,195.229.241.222
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Gates Hell (Gates) - Unknown owner - C:\WINDOWS\System32\BillG.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#5 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 26 March 2006 - 03:07 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Please run Notepad and copy the following text into a new file:

sc stop Gates
sc stop "Microsoft NetWork FireWall Services"

sc delete Gates
sc delete "Microsoft NetWork FireWall Services"

Save the file as remove.bat and make sure the "Save as type" field says "All files".
This is how the batch must look afterwards: Posted Image

Double-Click on the file remove.bat, a small DOS type window should open and close immediately.

Step #2

Download CCleaner and install it. (Please do not run the CCleaner utility yet.)

Step #3

Scan again with HijackThis and check the following items (if they are still there):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe

O23 - Service: Gates Hell (Gates) - Unknown owner - C:\WINDOWS\System32\BillG.exe (file missing)

O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #5

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #6

Find and delete these files and folders (if they are still there):
C:\WINDOWS\system32\o <= this file
C:\WINDOWS\System32\BillG.exe <= this file

C:\Program Files\ARPR <= this folder
C:\winnt\system32\Lavan <= this folder
C:\PROGRAM FILES\ErrorGuard <= this folder

C:\Documents and Settings\Horus\Local Settings\Temp\nsj3D.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nsj3D.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nsj3D.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nsj3D.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nss46.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nss46.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nss46.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nss46.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nsy132.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nsy132.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nsy132.tmp <= this file
C:\Documents and Settings\Horus\Local Settings\Temp\nsy132.tmp <= this file

G:\MADMAX\INSTALLERS\Misc\vnc-3.3.3r9_x86_win32.zip <= this file
G:\MADMAX\DOCS-dennis\ZoomTech\tools\tftpd32e\tftpd32.exe <= this file
E:\reuben\Iommi\John\Anton Maiden\CNET-audiogalaxy0605.exe <= this file



Reboot your computer normally.

Step #7

While still in safe mode Start Ccleaner. click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right).

Step #8

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#6 Okay

Okay

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 20 April 2006 - 10:24 AM

I've had to re-register.





Incident Status Location

Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Horus\Cookies\horus@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Horus\Cookies\horus@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Horus\Cookies\horus@doubleclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Horus\Cookies\horus@perf.overture[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Horus\Cookies\horus@servedby.advertising[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Horus\Cookies\horus@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Horus\Cookies\horus@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Horus\Cookies\horus@doubleclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Horus\Cookies\horus@perf.overture[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Horus\Cookies\horus@servedby.advertising[2].txt
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i











Logfile of HijackThis v1.99.1
Scan saved at 19:19:01, on 20/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
G:\Downloaded Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GMTcheck] C:\WINDOWS\system32\msrr\msrh.exe C:\WINDOWS\system32\msrr\msrr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142096126464
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142098007284
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

#7 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 20 April 2006 - 02:49 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • Check "Turn off System Restore".
    • Click Apply, and then click OK.
  • Reboot your computer.

  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check "Turn off System Restore".
    • Click Apply, and then click OK.
Step #2

Scan again with HijackThis and check the following items:
O4 - HKLM\..\Run: [GMTcheck] C:\WINDOWS\system32\msrr\msrh.exe C:\WINDOWS\system32\msrr\msrr.exe
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #4

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #5

Find and delete these files and folders (if they are still there):
C:\WINDOWS\system32\msrr <= this folder

Step #6

While still in safe mode Start Ccleaner. click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right).

Reboot your computer normally.

Step 7

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Start HijackThis and perform a new scan.

Use the Add Reply button to post your new logs back here along withas details of any problems you encountered performing the above steps and I will review it when it comes in.

Edited by didom, 20 April 2006 - 02:49 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users