Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sysprotect Problem


  • This topic is locked This topic is locked
18 replies to this topic

#1 lockeed

lockeed

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 15 June 2006 - 01:48 PM

sysprotect keeps downloading itself into my pc and spybot and ad-aware do nothing. i really need some help with this. here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 1:27:36 PM, on 6/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\S3tray2.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\tuanh\LOCALS~1\Temp\NI.USYP_0001_N76M1005\setup.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tuanh\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {9ABCB0E8-4453-885E-514A-244ADB1F2DDF} - porka_.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {3CFA620F-B761-56E4-8200-15550AD22B1D} - C:\WINDOWS\System32\orvzjvpb.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\system32\ddccd.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [AppMasterCenter] corrida.exe
O4 - HKLM\..\Run: [_ctcp] BoundRec.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WindowsRegKey update2date] winupdate2date.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\tuanh\Application Data\rncr.exe
O4 - HKCU\..\Run: [Nwpqymk] C:\WINDOWS\system32\??rss.exe
O4 - HKCU\..\Run: [stratas] ggfig.exe
O4 - HKCU\..\Run: [clamav] zantu.exe
O4 - HKCU\..\Run: [ftbar] new32.exe
O4 - HKCU\..\Run: [SysSupport] WTFCTF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...404/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABCD871-ACB1-4CB9-9BC8-16CCEECBB2CD}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA3652C6-8DBE-4BAB-A4EF-EE0ACBA0109D}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABCD871-ACB1-4CB9-9BC8-16CCEECBB2CD}: NameServer = 85.255.116.28,85.255.112.124
O20 - Winlogon Notify: ddccd - C:\WINDOWS\system32\ddccd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:24 AM

Posted 15 June 2006 - 03:52 PM

Hello and welcome to BC. :thumbsup:

I am sorry to inform you that this is a heavily infected machine. :flowers: In addition to Vundo, Wareout and Purity Scan infections, you have a dangerous worm installed in there, i.e. Backdoor.Sdbot, aka W32/Opanki.worm, or Win32/RBot.159517!Worm. It connects to an Internet Relay Chat (IRC) server. This enables a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security..

This is a standard warning in such cases:

1. Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

and do what ever else seems appropriate.

If you are using this computer to do sensitive work (i.e., online banking, paying credit card bills), I recommend, in all honesty, that you save your datafiles and start afresh with a reformat. If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can definitely help you clean your computer to the best of my abilities.

Please let me know what you decide to do in your next post.

Here are some informative links to help you decide:

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community...tip/st1005.mspx

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

http://www.eweek.com/article2/0,1895,1945808,00.asp

#3 lockeed

lockeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 15 June 2006 - 04:52 PM

thank you. i don't think that my pc needs reformatting though. i used a credit card on here once around a month ago and i'm going to call the company. other than that, i haven't done anything on here that could cause me harm. after i posted the hijackthis log here i searched around this site and downloaded avast and did a scan. it got rid of a trojan. i think it may be the one you're talking about. i'm not sure. and is it important for me to disconnect my pc from my network? i can do it but i preferre not to.

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:24 AM

Posted 15 June 2006 - 04:58 PM

In that case, we can start cleaning. Yes, it would be a good idea to keep it off the network until it's reasonably cleaned. Vundo, for one, is known to spread via network, and I don't know what your antivirus has cleaned at the moment. The cleaning process may take several posts. I'll have to work on it now and come back with the first set of instructions soon.

#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:24 AM

Posted 15 June 2006 - 05:20 PM

Hi again, :thumbsup:


HijackThis needs to be running from a folder of its own to function properly. Please right click on an empty space on the desktop and go to New>Folder to create a new folder. Name it HijackThis. Drag and drop the HijackThis.exe into this folder.

==================================================

Please disable Windows Defender Real Time Protection as it may interfere with the fix.

To disable Windows Defender:
  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender
Keep it disabled during the cleaning process. Once your log is clean you can re-enable Windows Defender Real Time Protection.

=======================================================

I searched around this site and downloaded avast and did a scan.


Does this mean that your McAfee is not working? Has it expired? If not, having two antivirus programs running at the same time is not a good practice. Please decide on one, and uninstall the other one via Add/Remove Programs in Control Panel.

=======================================================

Download and run the Purity Scan uninstaller.
This is the same Purity Scan stand-alone uninstall program mentioned by Symantec under removal instructions.
Alternate link for download
1. Save the Uninstaller to your desktop.
2. Double click on the OiUninstaller.exe icon on your desktop.
3. Click on "Run".
4. Enter the four digit code that is displayed and click on "Uninstall".
5. Click on "Ok" and reboot your computer.
6. Then delete this folder if found:
C:\Program Files\PurityScan\

Graphic instructions if needed.

==============================================

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens,Right Click inside the listbox (white box) and click add more files
* Copy&Paste the 2 entries below into the top 2 boxes
  • C:\WINDOWS\system32\ddccd.dll
  • C:\WINDOWS\system32\dccdd.*
* Click Add Files and Click Close Window
* Click Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

==============================================

Please download FixWareout by LonnyRJones from one of these sites and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
  • Run Fixwareout.
  • Click Next,
  • then Install,
  • make sure Run fixit is checked
  • and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
When you run fixwareout , simply follow the prompts, you will need to restart when prompted.

Once back in Windows, close all web browsers.
  • Go into Control Panel>Network Connections.
  • Right click on your connection
  • and click Properties.
  • On the Properties page, highlight Internet Protocol(TCP/IP)
  • Click Properties. This will bring up another page.
  • Select Obtain DNS Server Automatically.
  • Click the ok button. The page will close.
  • Press ok on the page in front of you.
  • Restart the computer.
  • Start the Internet and IE.
  • Open this file c:\fixwareout\report.txt and post the contents of it and a new HijackThis log please.
===============================================

Post back the vundofix.txt , fixwareout report.txt, and a fresh HijackThis log please.

#6 lockeed

lockeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 15 June 2006 - 06:27 PM

i didn't uninstall mcafee but i disabled it's virus scan so only avast scans my pc.



here is the vundofix text



VundoFix V4.2.84

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.6

Java version is 1.5.0.2

Scan started at 5:38:43 PM 6/15/2006

Listing files found while scanning....

C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\dccdd.bak2
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\dccdd.tmp

C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\dccdd.bak2
C:\WINDOWS\system32\dccdd.tmp
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\dccdd.bak2
C:\WINDOWS\system32\dccdd.tmp
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\ddccd.dll
Attempting to delete C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\ddccd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\dccdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dccdd.bak2
C:\WINDOWS\system32\dccdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\dccdd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dccdd.tmp
C:\WINDOWS\system32\dccdd.tmp Has been deleted!

Performing Repairs to the registry.
Done!







here is the hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 6:23:21 PM, on 6/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\S3tray2.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\tuanh\Desktop\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {9ABCB0E8-4453-885E-514A-244ADB1F2DDF} - porka_.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [AppMasterCenter] corrida.exe
O4 - HKLM\..\Run: [_ctcp] BoundRec.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [WindowsRegKey update2date] winupdate2date.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\tuanh\Application Data\rncr.exe
O4 - HKCU\..\Run: [Nwpqymk] C:\WINDOWS\system32\??rss.exe
O4 - HKCU\..\Run: [stratas] ggfig.exe
O4 - HKCU\..\Run: [clamav] zantu.exe
O4 - HKCU\..\Run: [ftbar] new32.exe
O4 - HKCU\..\Run: [SysSupport] WTFCTF.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...404/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABCD871-ACB1-4CB9-9BC8-16CCEECBB2CD}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA3652C6-8DBE-4BAB-A4EF-EE0ACBA0109D}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABCD871-ACB1-4CB9-9BC8-16CCEECBB2CD}: NameServer = 85.255.116.28,85.255.112.124
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe






and here is the fixwareout log.



Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tjnmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmnjt.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

Search by size and names...
* csr.exe C:\WINDOWS\System32\CSEZR.EXE

Misc files

Checking for older varients covered by the Rem3 tool


Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSEZR.EXE 51,208 2006-04-26
C:\WINDOWS\SYSTEM32\DMNJT.EXE 44,105 2004-08-04

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:24 AM

Posted 15 June 2006 - 07:12 PM

Thanks for the logs. Please print these instructions so that you can have access to them while in Safe Mode later.

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it

================================

Download and install Ewido Anti-Malware

During the installation, uncheck the following under Additional Options:
Install background guard
Install scan via context menu


Check for updates but do not run it yet.

Note: If you have problems with the updater, you can manually update Ewido.
Download ewido-signatures-full-current.exe from here and save to your Desktop.
All you need to do then is to double-click it, click Install and then when it has finished, Close.

==================================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

==================================
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\SYSTEM32\CSEZR.EXE
  • Click on the submit button
  • Please post the results in your next reply.
Repeat the same for this file:
  • C:\WINDOWS\SYSTEM32\DMNJT.EXE
==================================

I see you have Viewpoint installed whic is considered as foistware. Please read this article.

I suggest you remove the program. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

1. Viewpoint
2. Viewpoint Manager
3. Viewpoint Media Player


===================================
  • Close all open Explorer windows and browsers/email, etc
  • Run HijackThis
  • Click on the Scan button and when complete
  • Put a check beside all of the items listed below
  • Click on the "Fix Checked" button
  • When completed, close the application.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [AppMasterCenter] corrida.exe
O4 - HKLM\..\Run: [_ctcp] BoundRec.exe
O4 - HKCU\..\Run: [WindowsRegKey update2date] winupdate2date.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\tuanh\Application Data\rncr.exe
O4 - HKCU\..\Run: [Nwpqymk] C:\WINDOWS\system32\??rss.exe
O4 - HKCU\..\Run: [stratas] ggfig.exe
O4 - HKCU\..\Run: [clamav] zantu.exe
O4 - HKCU\..\Run: [ftbar] new32.exe
O4 - HKCU\..\Run: [SysSupport] WTFCTF.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABCD871-ACB1-4CB9-9BC8-16CCEECBB2CD}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA3652C6-8DBE-4BAB-A4EF-EE0ACBA0109D}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABCD871-ACB1-4CB9-9BC8-16CCEECBB2CD}: NameServer = 85.255.116.28,85.255.112.124


===================================

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for more information.

===================================

In Safe Mode, using Windows Explorer (right click on Start, click on Explore), navigate to and delete the following files, if found:

C:\WINDOWS\SYSTEM32\CSEZR.EXE
C:\WINDOWS\SYSTEM32\DMNJT.EXE
C:\Documents and Settings\tuanh\Application Data\rncr.exe
C:\WINDOWS\system32\??rss.exe <==== The first two letters are probably from Cyrillic Alphabet and HJT cannot read them, thus ??.

For the following files, please use Windows Search function and delete them when/if found:

corrida.exe
BoundRec.exe
winupdate2date.exe
ggfig.exe
zantu.exe
new32.exe
WTFCTF.exe


Also using Windows Explorer, navigate to and delete the following folder if you've uninstalled Viewpoint.

C:\Program Files\Viewpoint\



=====================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

=====================================

From Safe Mode run Ewido
  • Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
  • Under How to scan check all boxes
  • Under Unwanted Software check all boxes
  • Under What to scan select Scan every file
  • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

Click Save Report button and save it to your desktop for easy access.

Now close Ewido-Anti-Malware.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

===================================

Reboot in Normal Mode.

===================================

Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 7 .
You are running an old vulnerable version of Java.
  • Go to Start " Control Panel " Add/Remove Programs.
  • Search for all previous installed versions of Java. (J2SE Runtime Environment.... ) and delete them.
  • It/they should have this icon next to it/them: Posted Image
  • Then download and install the newest version. 1.5.07 from here.

    ====================================

    Please do an online scan with Kaspersky Online Scanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        [list]
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
==================================

Scan with HijackThis again and post the fresh log along with the Jotti results, Ewido log and the Kaspersky results, please.

Edited by amateur, 15 June 2006 - 07:22 PM.


#8 lockeed

lockeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 15 June 2006 - 07:58 PM

i did everything up to the rebooting in safe mode. i rebooted and pressed F8 but there was only one option in the menu and that is to start in normal mode.

these are the scans from virusscan.jotti.org

File: CSEZR.EXE
Status:
INFECTED/MALWARE
MD5 a4111fec527458fd0a8e954626fe5731
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Agent-IU
AVG Antivirus
Found Downloader.Agent.13.AV
BitDefender
Found Trojan.Downloader.FFZ
ClamAV
Found Trojan.Downloader.Agent-262
Dr.Web
Found Trojan.DownLoader.9145
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Agent.uj
NOD32
Found a variant of Win32/Small.FB
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan.DownLoader.4316




File: DMNJT.EXE
Status:
INFECTED/MALWARE
MD5 1feecb4e1722178cacbc4058021e1f25
Packers detected:
-
Scanner results
AntiVir
Found Trojan/Dldr.Small.csx
ArcaVir
Found Trojan.Downloader.Small.Csx
Avast
Found Win32:Small-EK
AVG Antivirus
Found Downloader.Generic.ZFM
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found Trojan.Iespy
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Small.csx
NOD32
Found a variant of Win32/Small.FB
Norman Virus Control
Found W32/DLoader.XAM
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan-Downloader.Win32.Small.csx

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:24 AM

Posted 15 June 2006 - 08:08 PM

Carry on with the instructions in Normal Mode then and let's see what we get.

#10 lockeed

lockeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 17 June 2006 - 04:38 AM

ok, so i did it. hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:35:03 AM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\S3tray2.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\tuanh\Desktop\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {9ABCB0E8-4453-885E-514A-244ADB1F2DDF} - porka_.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...404/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1225ACD-8B0A-4F47-8451-44072BE6DE14}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe





ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:53:13 AM, 6/16/2006
+ Report-Checksum: C606D965

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\{4F5E5D72-C915-4f3b-908B-527D064B0FAA} -> Adware.SysProtect : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EF130E77-0A34-4365-BFB7-218FD3DDCD5F} -> Adware.SysProtect : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{02946FD1-2D99-46E6-A790-3A089714EDD9} -> Adware.SysProtect : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473} -> Adware.SysProtect : Cleaned with backup
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@ehg-wizardsofthecoast.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@popunder.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\van\Cookies\van@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~137452.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~403801.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~575401.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~615134.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~679669.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~739864.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~785844.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~839099.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~850895.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~896620.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~896742.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\van\Local Settings\Temp\~900315.tmp -> Adware.Wintol : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup
C:\WINDOWS\dh1c7lr6.exe -> Adware.SAHAgent : Cleaned with backup
C:\WINDOWS\dhp2.dll -> Adware.DealHelper : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N76M2004NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N822M1605NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0001_N76M2004NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\USYP_0001_N76M2004NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N822M1605NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned with backup
C:\WINDOWS\system32\awtqn.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\awvvt.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\bcbjv4dn.dll -> Adware.Sahat : Cleaned with backup
C:\WINDOWS\system32\jkhfg.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\uguzbdsj.exe -> Adware.PurityScan : Cleaned with backup


::Report End





kaspersky results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, June 17, 2006 4:29:28 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 17/06/2006
Kaspersky Anti-Virus database records: 201081
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 118634
Number of viruses found: 17
Number of infected objects: 98
Number of suspicious objects: 0
Duration of the scan process: 03:23:57

Infected Object Name / Virus Name / Last Action
C:\DivXPro511Adware.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\DivXPro511Adware.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\DivXPro511Adware.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator.THEFAMILY\Desktop\budlight\My Documents\budlight's stuff\programs\DivXPro511Adware.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\Documents and Settings\Administrator.THEFAMILY\Desktop\budlight\My Documents\budlight's stuff\programs\DivXPro511Adware.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\Documents and Settings\Administrator.THEFAMILY\Desktop\budlight\My Documents\budlight's stuff\programs\DivXPro511Adware.exe NSIS: infected - 2 skipped
C:\Program Files\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\mirc616.exe mIRC: infected - 1 skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP593\A0069613.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP593\A0069621.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP593\A0069632.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP593\A0069637.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP602\A0069811.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP602\A0070811.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP602\A0070815.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP615\A0071004.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP615\A0071007.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP616\A0071021.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP620\A0071092.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP622\A0071131.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP622\A0071135.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071149.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071153.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071163.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071167.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071178.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071182.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071301.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071307.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071313.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071319.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071328.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071334.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071340.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071346.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071352.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071358.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP625\A0072352.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP625\A0072358.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP626\A0073352.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP626\A0073356.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP628\A0073408.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP628\A0073414.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP634\A0073646.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP635\A0074408.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP635\A0074414.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP640\A0074454.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP640\A0074458.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP641\A0074479.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP641\A0074483.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP641\A0074492.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP641\A0074496.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074521.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074525.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074535.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074540.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074548.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074552.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP644\A0074566.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP644\A0074572.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP644\A0075566.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP645\A0076566.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP645\A0076570.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP649\A0076745.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP649\A0076756.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP652\A0076800.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP652\A0076810.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP655\A0076932.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP655\A0076939.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP657\A0076954.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP657\A0076958.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP663\A0077954.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP663\A0077958.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP663\A0078954.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP663\A0078958.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP672\A0079367.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP674\A0079377.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP675\A0079391.dll Infected: Trojan-Downloader.Win32.PurityScan.l skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0079417.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0079420.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0079424.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0080474.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0080475.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081153.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081153.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081155.exe Infected: Trojan-Clicker.Win32.Small.kg skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081157.exe Infected: Trojan.Win32.Small.hl skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081476.exe Infected: not-a-virus:AdWare.Win32.Sahat.bh skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081477.dll Infected: not-a-virus:AdWare.Win32.DealHelper.j skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081478.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081479.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bf skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081480.dll Infected: not-a-virus:AdWare.Win32.Sahat.ad skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081481.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bf skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081482.exe Infected: not-a-virus:AdWare.Win32.PurityScan.n skipped
C:\WINDOWS\Downloaded Program Files\SVideoCodec4_01a.exe/data0007 Infected: Trojan.Win32.Zapchast.az skipped
C:\WINDOWS\Downloaded Program Files\SVideoCodec4_01a.exe/data0008 Infected: Trojan-Downloader.Win32.Zlob.hy skipped
C:\WINDOWS\Downloaded Program Files\SVideoCodec4_01a.exe NSIS: infected - 2 skipped
C:\WINDOWS\Downloaded Program Files\SVideoCodec4_01a.exe UPX: infected - 2 skipped

Scan process completed.

#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:24 AM

Posted 17 June 2006 - 07:09 AM

Hi lockeed


Looks like the fixes worked. Ewido also did a good job. But we are not done yet. I see that you've installed Ewido Guard which will not be working once the trial period is over. That's why I asked you to uncheck Install background guard and Install scan via context menu so that they will not interfere with the fixes. Please disable Ewido Guard before proceeding.

From within Ewido -
Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.

===========================

Let HijackThis fix these following my earlier instructions. Make sure that Windows Defender is also disabled. :

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {9ABCB0E8-4453-885E-514A-244ADB1F2DDF} - porka_.dll (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com


===========================

Delete the following files:

C:\DivXPro511Adware.exe
C:\Documents and Settings\Administrator.THEFAMILY\Desktop\budlight\My Documents\budlight's stuff\programs\DivXPro511Adware.exe
C:\Program Files\mirc616.exe


Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Now navigate and delete:

C:\WINDOWS\Downloaded Program Files\SVideoCodec4_01a.exe

Go to start > run and type regsvr32 occache.dll
Click OK

============================

Run Ccleaner

============================

Reboot and scan with Kaspersky again

============================

Post back a fresh HijackThis log and the Kaspersky results please.

Edited by amateur, 17 June 2006 - 12:22 PM.


#12 lockeed

lockeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 17 June 2006 - 10:51 PM

deleted

Edited by lockeed, 18 June 2006 - 02:03 AM.


#13 lockeed

lockeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 18 June 2006 - 07:53 AM

here is the new hijack this and the Kaspersky scan

Logfile of HijackThis v1.99.1
Scan saved at 7:46:52 AM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\S3tray2.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\tuanh\Desktop\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...404/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1225ACD-8B0A-4F47-8451-44072BE6DE14}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe




-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, June 18, 2006 7:45:57 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 18/06/2006
Kaspersky Anti-Virus database records: 201181
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 101592
Number of viruses found: 15
Number of infected objects: 94
Number of suspicious objects: 0
Duration of the scan process: 02:50:49

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP593\A0069613.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP593\A0069621.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP593\A0069632.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP593\A0069637.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP602\A0069811.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP602\A0070811.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP602\A0070815.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP615\A0071004.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP615\A0071007.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP616\A0071021.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP620\A0071092.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP622\A0071131.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP622\A0071135.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071149.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071153.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071163.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071167.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071178.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071182.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071301.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071307.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071313.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP623\A0071319.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071328.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071334.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071340.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071346.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071352.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP624\A0071358.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP625\A0072352.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP625\A0072358.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP626\A0073352.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP626\A0073356.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP628\A0073408.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP628\A0073414.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP634\A0073646.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP635\A0074408.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP635\A0074414.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP640\A0074454.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP640\A0074458.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP641\A0074479.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP641\A0074483.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP641\A0074492.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP641\A0074496.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074521.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074525.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074535.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074540.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074548.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP643\A0074552.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP644\A0074566.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP644\A0074572.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP644\A0075566.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP645\A0076566.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP645\A0076570.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP649\A0076745.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP649\A0076756.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP652\A0076800.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP652\A0076810.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP655\A0076932.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP655\A0076939.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP657\A0076954.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP657\A0076958.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP663\A0077954.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP663\A0077958.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP663\A0078954.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP663\A0078958.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP672\A0079367.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP674\A0079377.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP675\A0079391.dll Infected: Trojan-Downloader.Win32.PurityScan.l skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0079417.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0079420.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0079424.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0080474.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0080475.exe Infected: Trojan-Downloader.Win32.Small.csx skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081153.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081153.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081155.exe Infected: Trojan-Clicker.Win32.Small.kg skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081157.exe Infected: Trojan.Win32.Small.hl skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081476.exe Infected: not-a-virus:AdWare.Win32.Sahat.bh skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081477.dll Infected: not-a-virus:AdWare.Win32.DealHelper.j skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081478.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bj skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081479.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bf skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081480.dll Infected: not-a-virus:AdWare.Win32.Sahat.ad skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081481.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bf skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP676\A0081482.exe Infected: not-a-virus:AdWare.Win32.PurityScan.n skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP681\A0081970.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP681\A0081970.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP681\A0081970.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP681\A0081971.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP681\A0081971.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP681\A0081971.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP681\A0081972.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{5DAFEA27-47D0-437A-A710-F5EA02D45CE2}\RP681\A0081972.exe mIRC: infected - 1 skipped

Scan process completed.

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:24 AM

Posted 18 June 2006 - 08:37 AM

Hi lockeed,

Your log is clean and so is the Kaspersky report. It's reporting the items in the System Restore only. They cannot harm you from there, but we'll clean them as well so that they will not be reactivated if you ever have to use that function.

Disable and Enable System Restore Please do this ONLY ONCE, not on a regular basis.

1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.

4. Restart the computer.
5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'.

Reboot normally.

=============================================

Since we started off with an RBot worm, I would like to have couple more scans to be on the safe side.

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip RootKitRevealer to your desktop.
  • Please leave the defaults set as they are to:
    • Hide NTFS Metadata Files: this option is on by default
    • Scan Registry: this option is on by default.
    • Launch rootkit revealer on the system and press the Scan button.
    • RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time. So, please disconnect from the internet and leave the PC to be scanned alone until it is finished.
    • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
    • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)
    =============================================

    Then Download and save F-Secure Blacklightyour desktop.
    Double-click blbeta.exe then accept the agreement.
    leave [X]scan through windows explorer checked,
    click > scan then > next,
    You'll see a list of all items found.
    Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
    There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
    Copy and paste this log along with the rootkit revealer log.

    =============================================

    Clean with Ccleaner prior to running Sysclean.
  • Please create a folder on your desktop called Sysclean.
  • Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
  • Go to http://www.trendmicro.com/download/pattern.asp and download the Official Pattern Release for windows to your desktop.
  • This file will be called lptXXX.zip (XXX represents the version number)
  • Unzip lptXXX.zip and you'll get a file lpt$vpn.XXX.
  • Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.
  • Turn off/disable temporarily your antivirus which is installed on your system because it can interfere with the Sysclean-scan. Make sure to turn it on again when finished.
  • Reboot in Safe Mode.
  • Open the sysclean-folder and double-click sysclean.com.
  • Check: "Automatically clean or delete detected files."
  • Click "Scan".
  • When the scan is finished, select: "View log".
  • Copy and paste this log in your next reply.
:thumbsup:

#15 lockeed

lockeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 19 June 2006 - 12:39 AM

rootreveal says:
HKLM\S-1-5-21-1619826409-1708463528-508669746-1006\RemoteAccess\InternetProfile 5/28/2006 7:32 AM 7 bytes Data mismatch between Windows API and raw hive data.


blbeta says:
06/18/06 13:16:20 [Info]: BlackLight Engine 1.0.37 initialized
06/18/06 13:16:20 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/18/06 13:16:21 [Note]: 7019 4
06/18/06 13:16:21 [Note]: 7005 0
06/18/06 13:17:20 [Note]: 7006 0
06/18/06 13:17:21 [Note]: 7011 2516
06/18/06 13:17:21 [Note]: 7026 0
06/18/06 13:17:21 [Note]: 7026 0
06/18/06 13:17:49 [Note]: FSRAW library version 1.7.1015
06/18/06 17:54:55 [Note]: 7007 0


sysclean couldn't have been copied for some reason. but it ended up saying:
total 0 virus found
maybe 0 virues found

it listed a lot of things that it says had errors but i know for sure that many of them aren't viruses or anything.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users