Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help My Browser Has Been Hijacked


  • Please log in to reply
9 replies to this topic

#1 aussi02

aussi02

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 08 June 2006 - 06:42 AM

Hi,

Please, can anyone tell me what is causing this hijacking of my browser?
It seems like when i click on a result link after a search on google, the click is forwarded to a differen page.
I've run lots of different AntiVirus and SpyWare tools, but I cannot get rid of this one...

Any help is greatly appreciated!



Logfile of HijackThis v1.99.1
Scan saved at 13:26:13, on 08.06.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VWDExpress.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forskning.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {1B1F6B72-B294-59C0-8726-84E17F9B6A3B} - Bogobot.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [browsebar] backorif.exe
O4 - HKLM\..\Run: [atl_helper] ms-its.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E8C5280-FE6F-496A-A70E-B1ABB09E46E6}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B0F7E6F-AC56-4233-8AE2-FC10D351B062}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{A22C0EA8-A1F6-4D3F-A8B6-1C0A44E186B3}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CS2\Services\Tcpip\..\{4E8C5280-FE6F-496A-A70E-B1ABB09E46E6}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CS3\Services\Tcpip\..\{4E8C5280-FE6F-496A-A70E-B1ABB09E46E6}: NameServer = 85.255.116.59,85.255.112.188
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 June 2006 - 08:09 PM

Hi tempest and Welcome to the Bleeping Computer!


Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Please wait until Safe Mode to run Ewido!


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
  • Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer,Reboot into SAFE MODE(Tap F8 when restarting)
    http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads-> Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

    R3 - URLSearchHook: (no name) - {1B1F6B72-B294-59C0-8726-84E17F9B6A3B} - Bogobot.dll (file missing)

    O1 - Hosts: localhost 127.0.0.1

    O4 - HKLM\..\Run: [browsebar] backorif.exe

    O4 - HKLM\..\Run: [atl_helper] ms-its.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4E8C5280-FE6F-496A-A70E-B1ABB09E46E6}: NameServer = 85.255.116.59,85.255.112.188

    O17 - HKLM\System\CCS\Services\Tcpip\..\{6B0F7E6F-AC56-4233-8AE2-FC10D351B062}: NameServer = 85.255.116.59,85.255.112.188

    O17 - HKLM\System\CCS\Services\Tcpip\..\{A22C0EA8-A1F6-4D3F-A8B6-1C0A44E186B3}: NameServer = 85.255.116.59,85.255.112.188

    O17 - HKLM\System\CS2\Services\Tcpip\..\{4E8C5280-FE6F-496A-A70E-B1ABB09E46E6}: NameServer = 85.255.116.59,85.255.112.188

    O17 - HKLM\System\CS3\Services\Tcpip\..\{4E8C5280-FE6F-496A-A70E-B1ABB09E46E6}: NameServer = 85.255.116.59,85.255.112.188

    Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
Once in safe mode Open Ewido Security Suite and do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.


Click Start, and then click Search.
Click All files and folders.
In the "All or part of the file name" box, type:

rasphone.pbk

Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Click Find Now or Search Now.

If you find rasphone.pbk file, right-click the file, and then click "Open With."
Deselect the "Always use this program to open this program" check box.
Scroll through the list of programs and double-click Notepad.
When the file opens, delete the entries below:

IpDnsAddress = 85.255.116.59
IpDns2Address = 85.255.112.188
IpNameAssign = 2



Now open the Control Panel-> In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems.


Restart Normal and Click Start--> Run--> Type in CMD and Click OK

At the Dos Prompt Screen,type in cd\ and hit enter

Now type in ipconfig /flushdns and click enter

(Note the space between g and /)

Once it is done,close command prompt


Have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from Ewido--> Panda and report.txt from Fix WareOut

#3 aussi02

aussi02
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 14 June 2006 - 03:38 AM

Hi and thanks for your help so far Cretemonster!

I've followed the steps you described in your post, and here are the result logs:

Panda Active scan:

Incident Status Location

Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Berit\Cookies\berit@spywarestormer[2].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Berit\Cookies\berit@xmts[1].txt


Fixwareout:


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\fmhmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmhmf.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

Search by size and names...
One or more CON code pages invalid for given keyboard code
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSSMF.EXE

Misc files

Checking for older varients covered by the Rem3 tool


Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSSMF.EXE 51,288 2006-05-30
C:\WINDOWS\SYSTEM32\DMHMF.EXE 44,072 2004-08-04


Ewido Security Suite:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 23:34:10, 13.06.2006
+ Report-Checksum: 501A64D6

+ Scan result:

C:\Documents and Settings\Berit\Cookies\berit@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\Berit\Cookies\berit@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Berit\Cookies\berit@web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\073l5wba.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\073l5wba.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\073l5wba.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\073l5wba.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\073l5wba.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\073l5wba.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\073l5wba.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\073l5wba.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-583907252-1757981266-725345543-500\Dc24.exe -> Trojan.Hoster : Cleaned with backup


::Report End


And finally,

HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:28:20, on 14.06.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forskning.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.1.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...779/mcfscan.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe



There are the logs. I hope you can be able to guide me further if so is needed! Thanks for your help so far!

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 June 2006 - 04:06 AM

Go to this Site

Have these 2 files scanned

C:\WINDOWS\SYSTEM32\CSSMF.EXE

C:\WINDOWS\SYSTEM32\DMHMF.EXE

Almost positive they will return infected.


Download WinPFind to your C Drive.
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...showtutorial=62


Locate and Delete of found to be infected

C:\WINDOWS\SYSTEM32\CSSMF.EXE<-- File

C:\WINDOWS\SYSTEM32\DMHMF.EXE<-- File


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

Once you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Nornmal and Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#5 aussi02

aussi02
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 14 June 2006 - 04:31 PM

Hi again and thanks!!

There seem to be a problem with the F-Secure Online scanner as it crashes everytime I run the cleaning. But at least I can tell you that it discovered 4 tracking cookies, of which one of them where deleted the last time I ran the scan ( before it crashed again for the fourth time).

Anyway, the two files you mentioned in your previous post, where infected. These files have been removed as instructed.

Following you'll find the log from Winpfind:


Winpfind
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 06.04.2005 16:42:02 14469723 C:\WINDOWS\LPT$VPN.542
qoologic 06.04.2005 16:42:02 14469723 C:\WINDOWS\LPT$VPN.542
SAHAgent 06.04.2005 16:42:02 14469723 C:\WINDOWS\LPT$VPN.542
UPX! 06.04.2005 16:42:02 170053 C:\WINDOWS\tsc.exe
PECompact2 06.04.2005 16:42:02 14469723 C:\WINDOWS\VPTNFILE.542
qoologic 06.04.2005 16:42:02 14469723 C:\WINDOWS\VPTNFILE.542
SAHAgent 06.04.2005 16:42:02 14469723 C:\WINDOWS\VPTNFILE.542
UPX! 06.04.2005 16:42:02 1044560 C:\WINDOWS\vsapi32.dll
aspack 06.04.2005 16:42:02 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 19.03.2003 05:05:48 2052096 C:\WINDOWS\SYSTEM32\atl71.pdb
PEC2 04.08.2004 03:07:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 10.04.2006 13:00:34 555824 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PEC2 19.03.2003 07:20:00 10357760 C:\WINDOWS\SYSTEM32\mfc71.pdb
PEC2 19.03.2003 06:28:40 8252416 C:\WINDOWS\SYSTEM32\MFC71d.pdb
PEC2 19.03.2003 07:12:12 10333184 C:\WINDOWS\SYSTEM32\mfc71u.pdb
PEC2 19.03.2003 06:31:58 8293376 C:\WINDOWS\SYSTEM32\mfc71ud.pdb
PECompact2 04.05.2006 06:26:22 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.05.2006 06:26:22 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2004 03:07:00 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04.08.2004 03:07:00 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 04.08.2004 03:07:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 06.12.2005 11:37:26 1022432 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS
aspack 06.12.2005 11:37:26 1022432 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
14.06.2006 20:45:50 S 2048 C:\WINDOWS\bootstat.dat
18.04.2006 09:17:08 S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
14.06.2006 20:45:42 H 8192 C:\WINDOWS\system32\config\default.LOG
14.06.2006 20:46:10 H 1024 C:\WINDOWS\system32\config\SAM.LOG
14.06.2006 20:45:52 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
14.06.2006 20:46:30 H 69632 C:\WINDOWS\system32\config\software.LOG
14.06.2006 20:46:02 H 856064 C:\WINDOWS\system32\config\system.LOG
09.05.2006 21:14:26 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
30.05.2006 21:01:10 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\6156cbe0-04a8-46b4-bea3-57f7781db7eb
30.05.2006 21:01:10 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
14.06.2006 20:44:36 H 6 C:\WINDOWS\Tasks\SA.DAT
04.06.2006 19:53:16 HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
04.06.2006 19:53:16 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
04.06.2006 19:53:16 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\75ZWHB8Y\desktop.ini
04.06.2006 19:53:16 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KLE5UH01\desktop.ini
04.06.2006 19:53:16 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\MHDFEB7A\desktop.ini
04.06.2006 19:53:16 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\MMBPNAXP\desktop.ini

Checking for CPL files...
Microsoft Corporation 04.08.2004 03:07:00 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 03:07:00 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 03:07:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04.08.2004 03:07:00 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 03:07:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 03:07:00 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 29.07.2003 17:09:40 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 04.08.2004 03:07:00 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 03:07:00 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 03:07:00 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 03:07:00 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 04.08.2004 03:07:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 03:07:00 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 04.08.2004 03:07:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 03:07:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 03:07:00 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 17.11.2003 10:33:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 04.08.2004 03:07:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04.08.2004 03:07:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Trend Micro Inc. 27.10.2003 15:38:54 106496 C:\WINDOWS\SYSTEM32\PCCSet.cpl
Microsoft Corporation 04.08.2004 03:07:00 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23.09.2004 18:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04.08.2004 03:07:00 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04.08.2004 03:07:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 03:07:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 03:07:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04.08.2004 03:07:00 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04.08.2004 03:07:00 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04.08.2004 03:07:00 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04.08.2004 03:07:00 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04.08.2004 03:07:00 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04.08.2004 03:07:00 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04.08.2004 03:07:00 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04.08.2004 03:07:00 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 04.08.2004 03:07:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04.08.2004 03:07:00 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 04.08.2004 03:07:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04.08.2004 03:07:00 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04.08.2004 03:07:00 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 04.08.2004 03:07:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 04.08.2004 03:07:00 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04.08.2004 03:07:00 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04.08.2004 03:07:00 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04.08.2004 03:07:00 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 04.08.2004 03:07:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04.08.2004 03:07:00 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04.08.2004 03:07:00 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
28.03.2006 22:03:24 1918 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
27.02.2006 20:38:42 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
30.03.2005 20:21:18 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
01.04.2005 17:03:56 489 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus.lnk
17.07.2005 21:55:46 1648 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
29.05.2006 20:11:24 794 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
30.03.2005 22:06:02 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
30.03.2005 20:21:18 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
30.03.2005 22:06:02 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2002\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2002\Tmdshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
pccguide.exe "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
PCCClient.exe "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
Pop3trap.exe "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
DataLayer C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

Nokia Tray Application C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
_AntiSpyware c:\progra~1\mcafee\MCAFEE~1\masalert.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
=

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 14.06.2006 20:56:24

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 June 2006 - 06:30 PM

Allright,lets try another scanner.

Give this one a run and see how it does
http://www.bitdefender.com/scan/licence.php

#7 aussi02

aussi02
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 15 June 2006 - 09:24 AM

Oki, here is the log from BitDefender:

BitDefender Online Scanner



Scan report generated at: Thu, Jun 15, 2006 - 12:31:09





Scan path: A:\;C:\;D:\;E:\;F:\;G:\;







Statistics

Time
02:28:36

Files
683407

Folders
9739

Boot Sectors
5

Archives
8979

Packed Files
81089




Results

Identified Viruses
5

Infected Files
59

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
60




Engines Info

Virus Definitions
388139

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins
13

Archive plugins
39

Unpack plugins
5

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Kjetil\.housecall\Quarantine\arnds.dll.bac_a01712=>(Quarantine-4)
Detected with: Adware.Iectr.A

C:\Documents and Settings\Kjetil\.housecall\Quarantine\arnds.dll.bac_a01712=>(Quarantine-4)
Disinfection failed

C:\Documents and Settings\Kjetil\.housecall\Quarantine\arnds.dll.bac_a01712=>(Quarantine-4)
Deleted

C:\Documents and Settings\Kjetil\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv516.jar-6627f2a7-1ef38084.zip=>Matrix.class
Infected with: Java.Trojan.Downloader.OpenStream.C

C:\Documents and Settings\Kjetil\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv516.jar-6627f2a7-1ef38084.zip=>Matrix.class
Disinfection failed

C:\Documents and Settings\Kjetil\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv516.jar-6627f2a7-1ef38084.zip=>Matrix.class
Deleted

C:\Documents and Settings\Kjetil\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv516.jar-6627f2a7-1ef38084.zip
Updated

C:\Documents and Settings\Kjetil\Local Settings\Temporary Internet Files\Content.IE5\8ZXNE2JP\0177[1].jpg
Infected with: Trojan.Downloader.Small.AKZ

C:\Documents and Settings\Kjetil\Local Settings\Temporary Internet Files\Content.IE5\8ZXNE2JP\0177[1].jpg
Disinfection failed

C:\Documents and Settings\Kjetil\Local Settings\Temporary Internet Files\Content.IE5\8ZXNE2JP\0177[1].jpg
Deleted

C:\RECYCLER\S-1-5-21-583907252-1757981266-725345543-500\DC29.0XE
Infected with: Trojan.Downloader.FFZ

C:\RECYCLER\S-1-5-21-583907252-1757981266-725345543-500\DC29.0XE
Disinfection failed

C:\RECYCLER\S-1-5-21-583907252-1757981266-725345543-500\DC29.0XE
Deleted

C:\RECYCLER\S-1-5-21-583907252-1757981266-725345543-500\Dc30.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\RECYCLER\S-1-5-21-583907252-1757981266-725345543-500\Dc30.exe
Disinfection failed

C:\RECYCLER\S-1-5-21-583907252-1757981266-725345543-500\Dc30.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034442.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034442.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034442.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034447.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034447.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034447.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034468.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034468.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034468.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034474.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034474.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034474.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034479.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034479.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP273\A0034479.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035058.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035058.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035058.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035067.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035067.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035067.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035073.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035073.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035073.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035080.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035080.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035080.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035082.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035082.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035082.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035088.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035088.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035088.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035095.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035095.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035095.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035097.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035097.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035097.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035104.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035104.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035104.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035108.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035108.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035108.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035113.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035113.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035113.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035430.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035430.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035430.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035437.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035437.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP277\A0035437.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP278\A0035516.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP278\A0035516.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP278\A0035516.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP278\A0035523.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP278\A0035523.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP278\A0035523.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035757.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035757.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035757.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035764.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035764.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035764.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035783.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035783.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035783.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035789.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035789.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP279\A0035789.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP280\A0035804.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP280\A0035804.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP280\A0035804.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP280\A0035812.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP280\A0035812.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP280\A0035812.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP280\A0035817.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP280\A0035817.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP280\A0035817.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0035829.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0035829.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0035829.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0035843.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0035843.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0035843.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0036830.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0036830.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0036830.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0036839.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0036839.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP281\A0036839.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP282\A0036915.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP282\A0036915.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP282\A0036915.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP282\A0036920.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP282\A0036920.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP282\A0036920.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP282\A0037018.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP282\A0037018.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP282\A0037018.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP283\A0037027.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP283\A0037027.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP283\A0037027.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP283\A0037096.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP283\A0037096.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP283\A0037096.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP283\A0037106.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP283\A0037106.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP283\A0037106.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP284\A0037133.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP284\A0037133.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP284\A0037133.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP284\A0037143.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP284\A0037143.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP284\A0037143.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP287\A0037380.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP287\A0037380.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP287\A0037380.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP287\A0037390.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP287\A0037390.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP287\A0037390.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037404.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037404.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037404.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037416.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037416.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037416.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037426.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037426.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037426.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037462.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037462.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037462.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037472.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037472.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP288\A0037472.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037543.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037543.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037543.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037553.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037553.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037553.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037556.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037556.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037556.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037566.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037566.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037566.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037578.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037578.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP289\A0037578.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP290\A0037589.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP290\A0037589.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP290\A0037589.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP291\A0039697.exe
Infected with: Trojan.Downloader.FFZ

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP291\A0039697.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP291\A0039697.exe
Deleted

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP291\A0039730.exe
Infected with: MemScan:Trojan.Downloader.Small.AOH

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP291\A0039730.exe
Disinfection failed

C:\System Volume Information\_restore{61366CCD-1B12-4E12-84D8-9FA33D5D26BE}\RP291\A0039730.exe
Deleted

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 June 2006 - 03:32 PM

Hows the PC acting today??

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a fresh HijackThis log.
Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are?

#9 aussi02

aussi02
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 25 June 2006 - 02:36 PM

Hi again,

Seems like things are working better now! Thanks for your help so far!

The Kaspersky On-line Scanner returned message

No malware has been detected. The sections that have been scanned are CLEAN.

, so no report generated.

I'll install the two suggested security meassures!

Underneath is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 21:23:39, on 25.06.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VWDExpress.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\dllhost.exe
c:\windows\microsoft.net\framework\v2.0.50727\aspnet_wp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Microsoft Shared\Help 8\dexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\AntivirusSpyware\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forskning.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.1.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...779/mcfscan.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2006 - 03:05 AM

Nice Job!! :thumbsup:


Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
It is suggested that you go and change all your passwords since some of these may have been compromised during the infection.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Please remember to check your AntiVirus and any Spyware Apps for updates atleast twice a week


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users