Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected.when Using Google Any Link I Cli


  • This topic is locked This topic is locked
9 replies to this topic

#1 Andrew C

Andrew C

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 April 2006 - 05:55 AM

Hi folks. So the problem is as above. I have run all the things my pc will allow me to as per your "do this before posting" guide.

BUT// adaware scans for about 5 minutes then hangs for ever on file counter 79336 as it happens!)

Spybot runs and then pops up errors i havent seen before saying "error during check. All in One telecom (19) access violation at address 005A4BA7 in module "spybot.exe" Read of address 00000004)

This repeats and the number (19) keeps going up 20,21,22,23 etc....

Norton Antivirus 2005 fully updated has shutdown and disappeared off my task bar?! It will not restart either.
Ive run atfcleaner.exe

Here is my hijack this log!:

Logfile of HijackThis v1.99.1
Scan saved at 11:52:45, on 08/04/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navw32.exe
C:\Program Files\Norton AntiVirus\navw32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Norton AntiVirus\navw32.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\AndrewC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [exe.wlhmd] C:\WINDOWS\system32\dmhlw.exe
O4 - HKLM\..\Run: [exe.nhimd] C:\WINDOWS\system32\dmihn.exe
O4 - HKLM\..\Run: [exe.tebmd] C:\WINDOWS\system32\dmbet.exe
O4 - HKLM\..\Run: [exe.lqpmd] C:\WINDOWS\system32\dmpql.exe
O4 - HKLM\..\Run: [exe.djpmd] C:\WINDOWS\system32\dmpjd.exe
O4 - HKLM\..\Run: [exe.hgcmd] C:\WINDOWS\system32\dmcgh.exe
O4 - HKLM\..\Run: [exe.dilmd] C:\WINDOWS\system32\dmlid.exe
O4 - HKLM\..\Run: [exe.ptqmd] C:\WINDOWS\system32\dmqtp.exe
O4 - HKLM\..\Run: [exe.maqmd] C:\WINDOWS\system32\dmqam.exe
O4 - HKLM\..\Run: [exe.gkhmd] C:\WINDOWS\system32\dmhkg.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A54CE80-6BE6-47EA-93B4-94C92EC177F0}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CS1\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CS2\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe







/////////////////////////////////////////////////////////////////////////////////////////////////////////////

I thought the list starting with

C:\WINDOWS\system32\dmhlw.exe

looks a bit suspect but none of those files are in the directory that hijack this says?!!

PLEASE HELP HERE FOLKS!!

THANKS

BC AdBot (Login to Remove)

 


#2 Andrew C

Andrew C
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 April 2006 - 12:28 PM

Anyone?? PLEASE HELP!!!!

#3 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:05:33 AM

Posted 08 April 2006 - 04:28 PM

hi

you possibly have a new infection
Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

also post a new hiajckthis log
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#4 Andrew C

Andrew C
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 April 2006 - 07:02 PM

hi

you possibly have a new infection
Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

also post a new hiajckthis log



WOW. Thanks for that!!
What a great tool blbeta is!
Hers the log (and trojans :thumbsup: )

04/09/06 00:27:03 [Info]: BlackLight Engine 1.0.35 initialized
04/09/06 00:27:03 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/09/06 00:27:03 [Note]: 7019 4
04/09/06 00:27:03 [Note]: 7005 0
04/09/06 00:27:05 [Note]: 7006 0
04/09/06 00:27:05 [Note]: 7011 2588
04/09/06 00:27:05 [Note]: 7026 0
04/09/06 00:27:06 [Note]: 7026 0
04/09/06 00:27:06 [Note]: FSRAW library version 1.7.1015
04/09/06 00:28:12 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe
04/09/06 00:28:12 [Note]: 10002 1
04/09/06 00:28:15 [Info]: Hidden file: C:\WINDOWS\system32\cslog.exe
04/09/06 00:28:15 [Note]: 7002 32
04/09/06 00:28:15 [Note]: 7003 1
04/09/06 00:28:15 [Note]: 10002 1
04/09/06 00:28:16 [Info]: Hidden file: C:\WINDOWS\system32\favset.exe
04/09/06 00:28:24 [Note]: 7002 2
04/09/06 00:28:24 [Note]: 7003 1
04/09/06 00:28:24 [Note]: 10002 1
04/09/06 00:28:25 [Info]: Hidden file: C:\WINDOWS\system32\filesafer23.exe
04/09/06 00:28:25 [Note]: 10002 1
04/09/06 00:28:26 [Info]: Hidden file: C:\WINDOWS\system32\pppcgm.exe
04/09/06 00:28:26 [Note]: 10002 1
04/09/06 00:28:27 [Info]: Hidden file: C:\WINDOWS\system32\howiper.exe
04/09/06 00:28:33 [Note]: 7002 2
04/09/06 00:28:33 [Note]: 7003 1
04/09/06 00:28:33 [Note]: 10002 1
04/09/06 00:28:34 [Info]: Hidden file: C:\WINDOWS\system32\sphlp32.exe
04/09/06 00:28:39 [Note]: 7002 2
04/09/06 00:28:39 [Note]: 7003 1
04/09/06 00:28:39 [Note]: 10002 1
04/09/06 00:29:51 [Note]: 7007 0


ANd// as requested here is a new hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 00:59:48, on 09/04/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Documents and Settings\AndrewC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Add to &Teleport - C:\Program Files\Teleport Pro\teleport.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A54CE80-6BE6-47EA-93B4-94C92EC177F0}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CS1\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CS2\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

///


Thanks for the assistance///

i really appreciate all the help I can get with this as I make my living from computers and this one (my main workstation) will be a complete pain to rebuild to current specs!!
(I DO have backups tho!)


CHEERS

#5 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:05:33 AM

Posted 09 April 2006 - 05:45 AM

hi

good work man
:thumbsup:

lets use blacklight to rename the files. a great spyware expert LonnyRJones is developing a removal tool to kill this trojan and he would like samples of the files

so open blacklight, click scan. once its finished it will show a list of items that are hidden. select an item, and choose rename
allow blacklight to rename everything else but C:\WINDOWS\system32\wbem\wbemtest.exe

then click next and allow blacklight to reboot the computer

once the machine is back up, click start> search > type in *.ren
move the files that are found to a new folder on your desktop, then zip that folder

next go to http://www.thespykiller.co.uk/forum/index.php?board=1.0
press new topic

include a link to here into your message, make threads title wareout files for Lonny
attach the folder you just zipped to your message and hit post

see this tooInstructions for uploading files

once you've done that, post a new hijackthis log here


edit: da**ed typoes

Edited by illukka, 09 April 2006 - 06:46 AM.

To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#6 Andrew C

Andrew C
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 09 April 2006 - 09:58 AM

HI Illuka

THANKS for that :thumbsup:

I uploaded the files as you said for Lonny to take a look at and my workstation definately seems to be behaving a heck of a lot better now that filth is off my machine :flowers: (tho Im not sure she is 100% yet?)

I have posted a latest HJT log below.



Logfile of HijackThis v1.99.1
Scan saved at 15:51:26, on 09/04/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\AndrewC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [exe.mwimd] C:\WINDOWS\system32\dmiwm.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Add to &Teleport - C:\Program Files\Teleport Pro\teleport.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A54CE80-6BE6-47EA-93B4-94C92EC177F0}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CS1\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CS2\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


THANKS

:huh:

#7 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:05:33 AM

Posted 09 April 2006 - 10:08 AM

hi

ok thanks for the files, its much appreciated :thumbsup: :flowers:


lets fix the rest of it then shall we ;)

first you can delete that folder you uploaded now
then:

Download fixwareout to your desktop,
http://downloads.subratam.org/Fixwareout.exe
Or from:
http://swandog46.geekstogo.com/Fixwareout.exe
run fixwareout and simply fallow the prompts, you will need to reboot when prompted
Open the your root folder (usualy c) c:\fixwareout\report.txt and
post it here

this will take out the nasty services and registry keys


next:


Please download ewido anti malware it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
then launch ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti malware.

reboot back to normal mode, post the ewido report and a log from a fresh hjt scan


its been a pleasure to do "business" with you :huh:
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#8 Andrew C

Andrew C
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 09 April 2006 - 02:19 PM

Phew :thumbsup:

That is a serious list of instructions there!!
Thanks again for taking your time out to help me with this one.

MUCH APPRECIATED :flowers:

ok. So I did as you wisely said.

Here is the fixwareout log////////////////////////////////////////////////////


Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mwimd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...

Misc files

Checking for older varients covered by the Rem3 tool


/////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Ewido report

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 19:12:44, 09/04/06
+ Report-Checksum: 8E48EE85

+ Scan result:

C:\Documents and Settings\andrew.ACER\Cookies\andrew@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.11:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\firefox cooki backup.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\firefox cooki backup.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.6:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.7:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.8:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.9:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.10:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.11:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.25:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned with backup
:mozilla.38:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.44:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.45:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.46:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.47:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.48:C:\Documents and Settings\AndrewC\Application Data\Mozilla\Firefox\Profiles\3ebfs2js.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\AndrewC\Desktop\PHP Scripts 2006\DarcHP.rar/Darc Hackpack\AutoPlay\Docs\Hotmail Account Freezer.exe -> Not-A-Virus.HackTool.Win32.Homac : Error during cleaning
C:\Documents and Settings\AndrewC\Desktop\PHP Scripts 2006\DarcHP.rar/Darc Hackpack\AutoPlay\Docs\netpass.exe -> Not-A-Virus.PSWTool.Win32.NetPass.b : Error during cleaning
C:\Documents and Settings\AndrewC\Desktop\PHP Scripts 2006\DarcHP.rar/Darc Hackpack\AutoPlay\Docs\RockXP3.exe/xpkey.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Error during cleaning
C:\Documents and Settings\AndrewC\Desktop\PHP Scripts 2006\DarcHP.rar/Darc Hackpack\AutoPlay\Docs\RockXP3.exe/keyms.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Error during cleaning
C:\Documents and Settings\AndrewC\Desktop\PHP Scripts 2006\DarcHP.rar/Darc Hackpack\AutoPlay\Docs\RockXP3.exe/RAS.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Error during cleaning
C:\Documents and Settings\AndrewC\Desktop\PHP Scripts 2006\DarcHP.rar/Darc Hackpack\AutoPlay\Docs\SQL Inject.exe -> Not-A-Virus.HackTool.Win32.SQLInject.a : Error during cleaning
C:\Documents and Settings\AndrewC\My Documents\BHP Motorsport\OBD1 and 2 Gold Tuning Tools\More Mileage\tacho-decoder2004.exe -> Logger.ProAgent.20 : Cleaned with backup
C:\Documents and Settings\AndrewC\My Documents\Miscellaneous\ren trojans.zip/ren/csysv.exe.ren -> Downloader.Agent.uj : Error during cleaning
C:\Documents and Settings\AndrewC\My Documents\Remap Software Collection\Ecu Pick of the Bunch\Shareaza Diagnostics Software_Dec\Chiptuning Shareaza\Chiptuning_BMW_ALL.rar/Tools\ct25\CTuning.exe -> Trojan.LdPinch.rt : Error during cleaning
C:\Documents and Settings\AndrewC\My Documents\Software\ghostmail51.zip/GM51.exe -> Not-A-Virus.EmailFlooder.Win32.GhostMail.51 : Error during cleaning
C:\Documents and Settings\AndrewC\My Documents\Software\Software 2006\Nov 2005 Software\FKSoft IPB register bot.exe -> Not-A-Virus.HackTool.Win32.VB.br : Cleaned with backup
C:\Documents and Settings\AndrewC\My Documents\Software\Software 2006\Nov 2005 Software\FKSoft php reg flooder.exe -> Not-A-Virus.HackTool.Win32.VB.bs : Cleaned with backup
C:\Documents and Settings\AndrewC\My Documents\Software\Steganos Internet Anon Pro 7.1.5\SteganosIA.Pro.Patch.rar/Steganos-patch.exe -> Trojan.Agent.jh : Cleaned with backup
C:\Documents and Settings\laura\Cookies\laura@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\laura\Cookies\laura@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\laura\Cookies\laura@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.8:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.9:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.10:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.11:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.12:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.13:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.14:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.19:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.20:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt
-> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.49:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.57:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.58:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.59:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.63:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.64:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.65:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.68:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Xxxcounter : Cleaned with backup
:mozilla.69:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Xxxcounter : Cleaned with backup
:mozilla.75:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.99:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.164:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.165:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.166:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.167:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.168:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.169:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.170:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.171:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.172:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.201:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.207:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.209:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.210:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.211:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.212:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.242:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.279:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.280:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.285:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.286:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.287:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.288:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.294:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.295:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.296:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.299:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.300:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.304:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.306:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.307:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.310:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.312:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.313:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.314:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.315:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.317:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.318:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.319:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.320:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.321:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.322:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.323:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.324:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.325:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.327:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.329:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.330:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.331:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.332:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.333:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.335:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.336:E:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\rm3ocq6t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
E:\Documents and Settings\Andrew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-234377ea-1d1cdd12.zip/Gagaga.class -> Dropper.Beyond.g : Cleaned with backup
E:\Documents and Settings\Andrew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-234377ea-1d1cdd12.zip/Vbagx.class -> Not-A-Virus.Exploit.Java.Bytverify : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\KWP2000.rar/o4tmg7n.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\KWP2000.rar/qiI7xcY.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\KWP2000.rar/PhFytG7.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\KWP2000.rar/g4Yv4k1.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\KWP2000.rar/ojLHR26.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\KWP2000.rar/jQ3M43O.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\KWP2000.rar/FdNxEF5.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\KWP2000.rar/gD13184.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\KWP2000.rar/x724LQK.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\Smart\ORIG SMART 55CV 0261205005_1037 35 1857.rar/n7B3Sb6.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\Smart\ORIG SMART 55CV 0261205005_1037 35 1857.rar/WVyJ78C.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\Smart\ORIG SMART 55CV 0261205005_1037 35 1857.rar/uIyo38v.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\Smart\ORIG SMART 55CV 0261205005_1037 35 1857.rar/uBvHbjx.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\Smart\ORIG SMART 55CV 0261205005_1037 35 1857.rar/f5opRs7.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\Smart\ORIG SMART 55CV 0261205005_1037 35 1857.rar/vdO1tpl.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\Smart\ORIG SMART 55CV 0261205005_1037 35 1857.rar/d3kR2dg.exe -> Worm.Drefir.a : Cleaned with backup
E:\Documents and Settings\Andrew\Desktop\Chiptuning Files_more\files kwp2000\Smart\ORIG SMART 55CV 0261205005_1037 35 1857.rar/t142Y5R.exe -> Worm.Drefir.a : Cleaned with backup


::Report End

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

And the latest Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 19:37:54, on 09/04/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Documents and Settings\AndrewC\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [exe.mwimd] C:\WINDOWS\system32\dmiwm.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Add to &Teleport - C:\Program Files\Teleport Pro\teleport.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A54CE80-6BE6-47EA-93B4-94C92EC177F0}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CS1\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CS2\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

//////////////////////////////////////////////////////////////////////////////////////////////////////////


The machine seems to be infinately better than it was thanks to your advice.

Also/// I knew about a few of those worms in chiptuning archives but just never ever ran the files :/

i also ran a scan with Ewido on only C:/Windows and it came up with nothing.

My E drive is a USB2 plugin backup / storage drive nowadays..

One thing. Will these trojans have compromised my passwords and so on??
I know IE is rahte runsafe which is why I use Firefox a lot but IE still has a lot of important passwords gone through it....

Can the trojan have compromiseed these?
Even though I have an Expensive hardware firewall and current AV?

Do I need to change them all like ebay, bank and so on???

Also, when I try and clear IEs passwords cache by Control Panel > Internet Options > COntent> Auto Complete >> Clear Forms and Passwords

It just hangs and Rundll crashes and I end up having to end the process! Is this related do you htink to the spyware problem?

MANY THANKS

THANKS

#9 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:05:33 AM

Posted 09 April 2006 - 02:58 PM

accidental double post

Edited by illukka, 09 April 2006 - 03:06 PM.

To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#10 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:05:33 AM

Posted 09 April 2006 - 03:03 PM

hi


good work


Download System Security Suite here: System Security Suite Download & Tutorial. Unzip it to your desktop. Install the program. Don't use it yet.


Run HijackThis!, press Do A system Scan Only, and put a check mark next to all these:
O4 - HKLM\..\Run: [exe.mwimd] C:\WINDOWS\system32\dmiwm.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A54CE80-6BE6-47EA-93B4-94C92EC177F0}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CS1\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CS2\Services\Tcpip\..\{1771697F-76A9-43AF-B2A1-403C39C3B25A}: NameServer = 85.255.116.171,85.255.112.228

Close all other windows and browsers, and press the Fix Checked button.



Reboot into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab mark for cleaning:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.


reboot

see this topic for info on how to update your java:
http://forums.spybot.info/showthread.php?t=2559

unistall the previous verison of it before installing the newest

post a fresh hijackthis log when done


i think the crashes/ slowness / etc things are due to you having two different antiviruses installed.
they dont like each other.. i suggest uninstalling, or at least completely disabling the other.. either NAV or antivir, which one you choose
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users