Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Security Center Popup


  • This topic is locked This topic is locked
9 replies to this topic

#1 w1978

w1978

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 19 August 2006 - 09:57 PM

Looks like i got infected with a virus or adware. I've run adaware, panda scan, house call, stinger and spybot. Once i reopen internet explorer though, i get the the popups again. Here's the hijack log below. Can anyone help? Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 6:42:49 PM, on 8/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\FREECELL.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\system32\adobepnl.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155790152562
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F277AF68-EF79-4E2A-B6FF-D0395C1749A6}: NameServer = 192.168.2.1,63.240.76.198
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 20 August 2006 - 01:17 AM

Hi,

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\system32\adobepnl.dll (file missing)
O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll (file missing)


Close ALL browsers and open windows/programs except Hijackthis and click 'Fix Checked'.

Please perform this online scan: Kaspersky Online Scanner
1. Read the Requirements and Privacy statement, then select Accept
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select Install to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click Allow
5. When the download is complete it will say ready, click Next
6. Click Scan Settings and check the option to use the EXTENDED DATABASE, then click OK
7. Select a target to scan: Click on My Computer
8. When the scan is complete choose to save the results as Save as Text

Post back with the results of the Kaspersky scan and a new HijackThis log. Also, it looks like you previously had Comcast as your Internet Service Provider ("ISP"), and now your ISP is CERFnet. Please let me know if this is correct.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 w1978

w1978
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 20 August 2006 - 11:57 AM

Thanks for helping out. Here's the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 20, 2006 9:46:53 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/08/2006
Kaspersky Anti-Virus database records: 216598
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 79473
Number of viruses found: 41
Number of infected objects: 119 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:00:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0026850.exe.bac_a02432 Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0026851.exe.bac_a02432 Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027091.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.dbx skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027092.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.dbx skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027093.exe.bac_a04060 Infected: Trojan-Downloader.Win32.VB.afr skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027094.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.cjk skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027095.exe.bac_a04060 Infected: Trojan-Downloader.Win32.VB.ajp skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027096.dll.bac_a04060 Infected: not-virus:Hoax.Win32.Renos.dm skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027098.exe.bac_a04060 Infected: not-virus:Hoax.Win32.Renos.eh skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027099.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.dkt skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027102.exe.bac_a04060 Infected: Trojan-Downloader.Win32.VB.aeq skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027103.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.djm skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027104.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.ciw skipped
C:\Documents and Settings\W\.housecall\Quarantine\A0027105.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.ciw skipped
C:\Documents and Settings\W\.housecall\Quarantine\abzispme.exe.bac_a04060 Infected: Trojan-Downloader.Win32.VB.aeq skipped
C:\Documents and Settings\W\.housecall\Quarantine\arc.zip-53b42299-62134cd8.zip.bac_a03208/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\W\.housecall\Quarantine\arc.zip-53b42299-62134cd8.zip.bac_a03208/Counter.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\W\.housecall\Quarantine\arc.zip-53b42299-62134cd8.zip.bac_a03208/Beyond.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\W\.housecall\Quarantine\arc.zip-53b42299-62134cd8.zip.bac_a03208/Worker.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\W\.housecall\Quarantine\arc.zip-53b42299-62134cd8.zip.bac_a03208/web.exe/WISE0006.BIN Infected: Trojan.Win32.Revop.e skipped
C:\Documents and Settings\W\.housecall\Quarantine\arc.zip-53b42299-62134cd8.zip.bac_a03208/web.exe Infected: Trojan.Win32.Revop.e skipped
C:\Documents and Settings\W\.housecall\Quarantine\arc.zip-53b42299-62134cd8.zip.bac_a03208 ZIP: infected - 6 skipped
C:\Documents and Settings\W\.housecall\Quarantine\arc.zip-53b42299-62134cd8.zip.bac_a03208 CryptFF.b: infected - 6 skipped
C:\Documents and Settings\W\.housecall\Quarantine\arr3.jar-44f46a26-7efbf630.zip.bac_a02612/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
C:\Documents and Settings\W\.housecall\Quarantine\arr3.jar-44f46a26-7efbf630.zip.bac_a02612/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\W\.housecall\Quarantine\arr3.jar-44f46a26-7efbf630.zip.bac_a02612/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\W\.housecall\Quarantine\arr3.jar-44f46a26-7efbf630.zip.bac_a02612 ZIP: infected - 3 skipped
C:\Documents and Settings\W\.housecall\Quarantine\arr3.jar-44f46a26-7efbf630.zip.bac_a02612 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\W\.housecall\Quarantine\avalcbli.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.ciw skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-663d17d7-4620bf44.zip.bac_a03208/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-663d17d7-4620bf44.zip.bac_a03208/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-663d17d7-4620bf44.zip.bac_a03208/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-663d17d7-4620bf44.zip.bac_a03208/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-663d17d7-4620bf44.zip.bac_a03208 ZIP: infected - 4 skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-663d17d7-4620bf44.zip.bac_a03208 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-d4c1d6-3bb8ed3b.zip.bac_a03208/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-d4c1d6-3bb8ed3b.zip.bac_a03208/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-d4c1d6-3bb8ed3b.zip.bac_a03208/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-d4c1d6-3bb8ed3b.zip.bac_a03208/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-d4c1d6-3bb8ed3b.zip.bac_a03208 ZIP: infected - 4 skipped
C:\Documents and Settings\W\.housecall\Quarantine\classload.jar-d4c1d6-3bb8ed3b.zip.bac_a03208 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\W\.housecall\Quarantine\count.jar-10317d84-51d54071.zip.bac_a03208/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\W\.housecall\Quarantine\count.jar-10317d84-51d54071.zip.bac_a03208/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\W\.housecall\Quarantine\count.jar-10317d84-51d54071.zip.bac_a03208/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\W\.housecall\Quarantine\count.jar-10317d84-51d54071.zip.bac_a03208 ZIP: infected - 3 skipped
C:\Documents and Settings\W\.housecall\Quarantine\count.jar-10317d84-51d54071.zip.bac_a03208 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\W\.housecall\Quarantine\dnyyzic.tmp.bac_a03208 Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\W\.housecall\Quarantine\e6f1873b.dll.bac_a03208 Infected: Trojan-Downloader.Win32.Braidupdate.d skipped
C:\Documents and Settings\W\.housecall\Quarantine\fbaxuafc.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.dbx skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-16e6c0b4-33c1bac0.zip.bac_a03208/Counter.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-16e6c0b4-33c1bac0.zip.bac_a03208/VerifierBug.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-16e6c0b4-33c1bac0.zip.bac_a03208/web.exe Infected: Trojan.Win32.LowZones.cp skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-16e6c0b4-33c1bac0.zip.bac_a03208/Worker.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-16e6c0b4-33c1bac0.zip.bac_a03208/Xeyond.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-16e6c0b4-33c1bac0.zip.bac_a03208 ZIP: infected - 5 skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-16e6c0b4-33c1bac0.zip.bac_a03208 CryptFF.b: infected - 5 skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-664f9470-555ac055.zip.bac_a03208/Counter.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-664f9470-555ac055.zip.bac_a03208/VerifierBug.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-664f9470-555ac055.zip.bac_a03208/web.exe Infected: Trojan.Win32.Small.ev skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-664f9470-555ac055.zip.bac_a03208/Worker.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-664f9470-555ac055.zip.bac_a03208/Xeyond.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-664f9470-555ac055.zip.bac_a03208 ZIP: infected - 5 skipped
C:\Documents and Settings\W\.housecall\Quarantine\jar.jar-664f9470-555ac055.zip.bac_a03208 CryptFF.b: infected - 5 skipped
C:\Documents and Settings\W\.housecall\Quarantine\java.jar-10f4384f-7c4bb2a2.zip.bac_a02612/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\W\.housecall\Quarantine\java.jar-10f4384f-7c4bb2a2.zip.bac_a02612/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\W\.housecall\Quarantine\java.jar-10f4384f-7c4bb2a2.zip.bac_a02612 ZIP: infected - 2 skipped
C:\Documents and Settings\W\.housecall\Quarantine\java.jar-10f4384f-7c4bb2a2.zip.bac_a02612 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\W\.housecall\Quarantine\java.jar-debb6b6-6c0ebd82.zip.bac_a02612/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\W\.housecall\Quarantine\java.jar-debb6b6-6c0ebd82.zip.bac_a02612/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\W\.housecall\Quarantine\java.jar-debb6b6-6c0ebd82.zip.bac_a02612 ZIP: infected - 2 skipped
C:\Documents and Settings\W\.housecall\Quarantine\java.jar-debb6b6-6c0ebd82.zip.bac_a02612 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\W\.housecall\Quarantine\javainstaller.jar-31f00108-4440486b.zip.bac_a03208/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\W\.housecall\Quarantine\javainstaller.jar-31f00108-4440486b.zip.bac_a03208 ZIP: infected - 1 skipped
C:\Documents and Settings\W\.housecall\Quarantine\javainstaller.jar-31f00108-4440486b.zip.bac_a03208 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\W\.housecall\Quarantine\kktonckn.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.djm skipped
C:\Documents and Settings\W\.housecall\Quarantine\kvkrkumx.exe.bac_a02612 Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Documents and Settings\W\.housecall\Quarantine\lich.exe.bac_a03208 Infected: Trojan.Win32.LowZones.dm skipped
C:\Documents and Settings\W\.housecall\Quarantine\loaderadv557.jar-57975d84-2a8d6bd4.zip.bac_a02612/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\W\.housecall\Quarantine\loaderadv557.jar-57975d84-2a8d6bd4.zip.bac_a02612/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\W\.housecall\Quarantine\loaderadv557.jar-57975d84-2a8d6bd4.zip.bac_a02612/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\W\.housecall\Quarantine\loaderadv557.jar-57975d84-2a8d6bd4.zip.bac_a02612 ZIP: infected - 3 skipped
C:\Documents and Settings\W\.housecall\Quarantine\loaderadv557.jar-57975d84-2a8d6bd4.zip.bac_a02612 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\W\.housecall\Quarantine\loaderadv659.jar-991462e-526d6f39.zip.bac_a02612/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\W\.housecall\Quarantine\loaderadv659.jar-991462e-526d6f39.zip.bac_a02612/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\W\.housecall\Quarantine\loaderadv659.jar-991462e-526d6f39.zip.bac_a02612/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\W\.housecall\Quarantine\loaderadv659.jar-991462e-526d6f39.zip.bac_a02612 ZIP: infected - 3 skipped
C:\Documents and Settings\W\.housecall\Quarantine\loaderadv659.jar-991462e-526d6f39.zip.bac_a02612 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\W\.housecall\Quarantine\MediaTicketsInstaller.ocx.bac_a03208 Infected: not-a-virus:AdWare.Win32.MediaTickets.b skipped
C:\Documents and Settings\W\.housecall\Quarantine\msirrcdp.exe.bac_a04060 Infected: Trojan-Downloader.Win32.VB.ajp skipped
C:\Documents and Settings\W\.housecall\Quarantine\mt-uninstaller.exe.bac_a03208/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.u skipped
C:\Documents and Settings\W\.housecall\Quarantine\mt-uninstaller.exe.bac_a03208 NSIS: infected - 1 skipped
C:\Documents and Settings\W\.housecall\Quarantine\mt-uninstaller.exe.bac_a03208 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\W\.housecall\Quarantine\naaounqq.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.dkt skipped
C:\Documents and Settings\W\.housecall\Quarantine\nbb2.jar-3ba8fb30-6ec08dda.zip.bac_a03208/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.l skipped
C:\Documents and Settings\W\.housecall\Quarantine\nbb2.jar-3ba8fb30-6ec08dda.zip.bac_a03208/counter.class Infected: Trojan.Java.ClassLoader.b skipped
C:\Documents and Settings\W\.housecall\Quarantine\nbb2.jar-3ba8fb30-6ec08dda.zip.bac_a03208/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\W\.housecall\Quarantine\nbb2.jar-3ba8fb30-6ec08dda.zip.bac_a03208/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\W\.housecall\Quarantine\nbb2.jar-3ba8fb30-6ec08dda.zip.bac_a03208 ZIP: infected - 4 skipped
C:\Documents and Settings\W\.housecall\Quarantine\nbb2.jar-3ba8fb30-6ec08dda.zip.bac_a03208 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\W\.housecall\Quarantine\ncj.exe.bac_a03208 Infected: not-virus:Hoax.Win32.Renos.bb skipped
C:\Documents and Settings\W\.housecall\Quarantine\office_pnl.dll.bac_a04060 Infected: not-virus:Hoax.Win32.Renos.dm skipped
C:\Documents and Settings\W\.housecall\Quarantine\ps_install-mt.exe.bac_a03208 Infected: Trojan.Win32.Scapur.a skipped
C:\Documents and Settings\W\.housecall\Quarantine\qovrkfkq.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.ciw skipped
C:\Documents and Settings\W\.housecall\Quarantine\smartdrv.exe.bac_a04060 Infected: not-virus:Hoax.Win32.Renos.eh skipped
C:\Documents and Settings\W\.housecall\Quarantine\stcujajc.exe.bac_a02612 Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Documents and Settings\W\.housecall\Quarantine\stlb2.dll.bac_a03208 Infected: Trojan-Downloader.Win32.Braidupdate.d skipped
C:\Documents and Settings\W\.housecall\Quarantine\TBuninst.exe.bac_a03208 Infected: not-a-virus:AdWare.Win32.WebSearch.i skipped
C:\Documents and Settings\W\.housecall\Quarantine\tlalwchg.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.cjk skipped
C:\Documents and Settings\W\.housecall\Quarantine\ttuh.exe.bac_a03208 Infected: not-a-virus:AdWare.Win32.PurityScan.w skipped
C:\Documents and Settings\W\.housecall\Quarantine\winstall.exe.bac_a03208 Infected: not-virus:Hoax.Win32.Renos.bb skipped
C:\Documents and Settings\W\.housecall\Quarantine\xtfvhwrq.exe.bac_a04060 Infected: Trojan-Downloader.Win32.VB.afr skipped
C:\Documents and Settings\W\.housecall\Quarantine\zdj.exe.bac_a03208 Infected: Trojan.Win32.LowZones.dm skipped
C:\Documents and Settings\W\.housecall\Quarantine\zzwusqel.exe.bac_a04060 Infected: Trojan-Downloader.Win32.Small.dbx skipped
C:\Documents and Settings\W\Application Data\Mozilla\Firefox\Profiles\h3fpb9t1.Default User\cert8.db Object is locked skipped
C:\Documents and Settings\W\Application Data\Mozilla\Firefox\Profiles\h3fpb9t1.Default User\history.dat Object is locked skipped
C:\Documents and Settings\W\Application Data\Mozilla\Firefox\Profiles\h3fpb9t1.Default User\key3.db Object is locked skipped
C:\Documents and Settings\W\Application Data\Mozilla\Firefox\Profiles\h3fpb9t1.Default User\parent.lock Object is locked skipped
C:\Documents and Settings\W\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-2389f797-4f672072.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\W\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-275eaf6f-14de0b33.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\W\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-52d8b673-616d8018.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\W\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\W\Local Settings\Application Data\Mozilla\Firefox\Profiles\h3fpb9t1.Default User\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\W\Local Settings\Application Data\Mozilla\Firefox\Profiles\h3fpb9t1.Default User\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\W\Local Settings\Application Data\Mozilla\Firefox\Profiles\h3fpb9t1.Default User\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\W\Local Settings\Application Data\Mozilla\Firefox\Profiles\h3fpb9t1.Default User\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\W\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\W\Local Settings\Temp\~DF46B9.tmp Object is locked skipped
C:\Documents and Settings\W\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\W\My Documents\Virus Scanners\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\W\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\W\ntuser.dat.LOG Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{CAF2AEF5-557B-4E45-8EFB-8B500EBB7E33}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\bribsifh.exe Infected: Trojan-Downloader.Win32.Small.dkt skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\my_update.exe Infected: Trojan-Downloader.Win32.VB.aeq skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#4 w1978

w1978
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 20 August 2006 - 11:59 AM

And here's the new Hijackthis log.

Also, to answer your question, I still have Comcast as my ISP. I've never heard of CERFnet.

Logfile of HijackThis v1.99.1
Scan saved at 9:50:01 AM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155790152562
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F277AF68-EF79-4E2A-B6FF-D0395C1749A6}: NameServer = 192.168.2.1,63.240.76.198
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#5 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 20 August 2006 - 02:36 PM

Hi,

Please do the following in the order given. You will have to print or copy these instructions as you will be working is Safe Mode without an Internet connection.

Clean out the Trend Micro Housecall quarantine folder by deleting everything inside that folder.

Download and install Ewido Anti-Spyware v4.0
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\ewido anti-spyware 4.0, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on ewdio in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
9. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here. Exit Ewido when done.
Do NOT perform a scan yet.

Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Start HijackThis, click System Scan Only and place a checkmark next to the following item:
O17 - HKLM\System\CCS\Services\Tcpip\..\{F277AF68-EF79-4E2A-B6FF-D0395C1749A6}: NameServer = 192.168.2.1,63.240.76.198

Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'. Then exit the program.

Clean out your Temporary Internet files. Proceed like this:
  • Close ALL browsers and open windows / programs.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin

Scan with Ewido as follows:
1. Launch Ewido, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\ewido anti-spyware 4.0\Reports\
6. Exit Ewido when done and submit the log report in your next response.

Note: Close all open windows, programs, and DO NOT USE the computer while Ewido is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper Ewido's ability to clean properly and may result in reinfection.

Note: If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.

Reboot into Normal Mode.

Post back with the results of the Ewido log and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#6 w1978

w1978
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 20 August 2006 - 05:27 PM

ok here's the result of the ewido scan

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:19:40 PM 8/20/2006

+ Scan result:



C:\Documents and Settings\W\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-275eaf6f-14de0b33.class -> Downloader.OpenStream.y : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\my_update.exe -> Downloader.VB.aeq : Cleaned with backup (quarantined).
C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\9NFTNLVO\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).


::Report end

#7 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 21 August 2006 - 01:43 AM

Hi,

You forgot to add a new HijackThis log. Also, how is your computer running now?
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#8 w1978

w1978
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 21 August 2006 - 08:18 AM

I did forget. Here's a log from this morning. My computer seems to be running great. I haven't had any popups or slowdowns recently. Thanks a lot.

Logfile of HijackThis v1.99.1
Scan saved at 6:14:17 AM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155790152562
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#9 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 21 August 2006 - 09:33 AM

Hi,

You're quite welcome! Your log looks clean now.

If you have not done so, please empty your Recycle Bin.

Create a new Restore Point:
- Go to Start -> All Programs -> Accessories -> System Tools -> System Restore.
- When the utility opens, select "Create a new restore point" and click Next
- Name the restore point - something like "After infection cleaned" or "After cleaning"
- Click Create.

Delete the old Restore Points:
- Go to Start -> All Programs -> Accessories -> System Tools -> Disk Cleanup. Click Ok.
- Click the "More Options" tab.
- Where it states "System Restore" - click Clean up.
- All of the old Restore Points will be deleted EXCEPT for the one you just created.

Reboot your computer.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster. SpywareBlaster doesn't scan and clean for so-called spyware but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls and also prevents the installation of any of them via a webpage. Update it periodically.

Download ATF Cleaner by Atribune and save to your desktop.
This program is for XP and Windows 2000 only
This is a good program for periodically cleaning your system. Instructions are here

* Avoid illegal sites because that's where most malware is present.
* Don't click on links inside pop-ups. Use ALT + F4 to close them.
* Don't click on links in spam messages claiming to offer anti-spyware software because most of these so-called removers ARE spyware.
* Download free software only from sites you know and trust because a lot of free software can bundle other software, including spyware.

Let your anti-spyware scanner(s) scan frequently and don't forget to update before scanning.

Make sure that your virus-scanner, the one that is already installed on your system, is always up to date!

Make sure your Windows has the latest updates by going here.

More information on how to prevent malware can be found at So how did I get infected in the first place? by Tony Klein.

Happy surfing again! :thumbsup:
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#10 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 06 September 2006 - 10:58 AM

Since this issue appears resolved ... this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a new topic.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users