Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Programs Not Loading On Start Up


  • Please log in to reply
45 replies to this topic

#1 Ai.

Ai.

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 27 September 2006 - 09:54 PM

Basically, yesterday I tried downloading a small file using Firefox and it would not work, so I resorted to using Internet Explorer. Upon downloading the file using IE, a bunch of IE windows (or tabs, since I was using the IE Tab plugin for Firefox) opened up; I promptly closed them all. I suppose it was somewhere during this point, when I got infected. There were no immediate symptoms, but later that night when I looked at my processes I saw a process that I was not familiar with ("ja.exe"), so I killed it. Nothing seemed to happen. Next day when I turned my computer on I noticed that no programs which I have designated to load on start-up actually loaded; the only programs that did load are windows volume control, windows update, and something called hpc series 700 (for my printer). Apart from that, everything seems to work fine, except for the media keys on my keyboard, and the back/forward Internet browsing buttons, on my mouse. So I'm stumped; I've been malware-free for years now, and now I have no idea what to do, so I hope that someone can help.

HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:32:55 PM, on 9/27/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Proxomitron\Proxomitron.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: TW_BrowserHook - {1E1B2879-88FF-11D2-8D96-FFFFAC95951F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Taskbar Wallpaper.lnk = C:\DOCUME~1\x\Desktop\Taskbar.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASHS~1.0\save.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.fanta.dk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedCont...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D0541EC-6314-41EC-95A7-17F4D563D541}: NameServer = 64.59.144.16,64.59.144.17
O20 - AppInit_DLLs:
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe



Ewido Log:
+ Created at: 7:07:16 PM 9/27/2006

+ Scan result:



C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\Program Files\Creative\SBLive\Program\AHQInit.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\Program Files\Logitech\iTouch\iTouch.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\Program Files\Microsoft Hardware\Mouse\point32.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\Program Files\Microsoft Works\WksSb.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\Program Files\Microsoft Works\wkfud.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\Program Files\Norton AntiVirus\navapw32.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE -> Heuristic.Win32.AVKiller : No action taken.
C:\Program Files\QuickTime\qttask.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP576\A0070497.EXE -> Heuristic.Win32.AVKiller : No action taken.
C:\WINDOWS\SYSTEM32\IME\TINTLGNT\tintsetp.exe.tmp -> Heuristic.Win32.AVKiller : No action taken.
C:\WINDOWS\SYSTEM32\NeroCheck.exe -> Heuristic.Win32.AVKiller : No action taken.
C:\WINDOWS\Updreg.exe -> Heuristic.Win32.AVKiller : No action taken.
:mozilla.768:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.
:mozilla.10:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.11:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.12:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.13:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.14:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.15:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.16:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.17:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.18:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.6:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\x\Cookies\x@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\x\Cookies\x@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\x\Cookies\x@microsoftwga.112.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\x\Cookies\x@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\x\Cookies\x@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.112:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.57:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.58:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.723:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.801:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\x\Cookies\x@adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.11:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Addcontrol : No action taken.
:mozilla.10:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Adocean : No action taken.
:mozilla.9:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Adocean : No action taken.
C:\Documents and Settings\x\Cookies\x@z1.adserver[1].txt -> TrackingCookie.Adserver : No action taken.
:mozilla.259:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\x\Local Settings\Temp\Cookies\x@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.797:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Bluestreak : No action taken.
:mozilla.260:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.261:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.262:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
C:\Documents and Settings\x\Cookies\x@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\x\Cookies\x@centrport[1].txt -> TrackingCookie.Centrport : No action taken.
C:\Documents and Settings\x\Local Settings\Temp\Cookies\x@centrport[1].txt -> TrackingCookie.Centrport : No action taken.
:mozilla.25:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.38:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.39:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.6:C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\wm0fxqq8.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.7:C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\wm0fxqq8.slt\cookies.txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\x\Cookies\x@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\x\Local Settings\Temp\Cookies\x@com[2].txt -> TrackingCookie.Com : No action taken.
:mozilla.162:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.169:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.21:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.22:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.23:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.24:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.25:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.290:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.627:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.628:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.629:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.630:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.631:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.401:C:\Documents and Settings\x\Application

Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.682:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.683:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\xCookies\x@komtrack[2].txt -> TrackingCookie.Komtrack : No action taken.
C:\Documents and Settings\x\Cookies\x@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\x\Local Settings\Temp\Cookies\x@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.221:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.222:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.223:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.888:C:\Documents and Settings\xz\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\x\Cookies\x@www7.paypopup[1].txt -> TrackingCookie.Paypopup : No action taken.
C:\Documents and Settings\x\Cookies\x@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.126:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\x\Cookies\x@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\x\Cookies\x@revenue[2].txt -> TrackingCookie.Revenue : No action taken.
:mozilla.52:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.53:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.54:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.55:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.56:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.134:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.135:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.136:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.137:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.34:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.35:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.36:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.37:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.38:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\x\Cookies\x@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\x\Cookies\x@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.100:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.101:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.85:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.86:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.87:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.88:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.89:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.90:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.91:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.92:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.93:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.94:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.95:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.96:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.97:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.98:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.99:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\x\Cookies\x@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.379:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.380:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.381:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\x\Cookies\x@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.729:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Targetnet : No action taken.
:mozilla.152:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Trafic : No action taken.
:mozilla.153:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.154:C:\Documents and Settings\x\Application Data\Phoenix\Profiles\default\457a8ete.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.24:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.27:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.28:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.31:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\x\Cookies\x@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.267:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Weborama : No action taken.
:mozilla.895:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.505:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\x\Cookies\x@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.738:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.739:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.740:C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
C:\Documents and Settings\x\Cookies\x@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP562\A0069204.exe -> Trojan.Regspy : No action taken.


::Report end

I have deleted all of the TrackingCookies and quarantined the files infected with heuristics.win32.avkiller (which coincidentally belong to the programs which are not loading on startup) and Trojan.Regspy. I am hesitant in deleting these files, since I don't want the programs they are affiliated with to cease functioning, so I figured I'd come here and ask for some more experienced advice.

Thanks.

BC AdBot (Login to Remove)

 


#2 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 30 September 2006 - 06:22 PM

Welcome Ai.! :thumbsup:

I will be helping you under the guidance of one of our expert coaches.

Please give me a little time to get back to you with instructions.

Thanks
Jamie
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#3 Ai.

Ai.
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 30 September 2006 - 06:50 PM

No problem; thank you for your reply.

Just to add a little more information, after I posted my initial log I ran Ewido again and it picked up three more files infected with w32.avkiller, which I have quarantined.

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP577\A0070583.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP577\A0070584.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP577\A0070585.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).

Since that time I have ran Ewido once or twice a day and each time I scanned my system it came up clean. But I'm still not confident that the virus is gone, nor do I know what to do with the quarantined files.

Also on the 27th, I found two processes which I was not familiar with: IKernel.exe and knlwrap.exe. I tried to do a little research on them but I ended up with contradictory information; some websites told me that they were legitimate files related to Install Shield, and others told me that they were key/mouse loggers (knlwrap.exe specifically). I haven't seen them since I killed them in the processes tab that day. I also found the same type of contradictory information regarding a third process, devldr32.exe. It keeps appearing in my processes whenever I start a program. Trendmicro says that it's related to the deloader.a/b worms, but when I tried to manually remove the worms as per their instructions, I couldn't find any traces of them in the registry. Other websites say that it's related to Creative Lab's Sound Blaster Live! drivers (or something).

I also noted some abnormal behavior from Firefox and IE whle browsing the Internet, after my system got infected. I can't seem to connect (I get a blank page) to any "secure" websites such as G-mail or my college's student login page. Also, the image which is supposed to appear with a three digit confirmation code which you must enter into a box in order to download stuff from Rapidshare, as a free user, also appears as a broken link, each time.

I hope this isn't information-overload. I'm just trying to be as thorough as I possibly can.

Once again, thanks for your help. :thumbsup:

#4 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 01 October 2006 - 01:22 PM

Hey Ai.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME
  • Click HERE for the update.
  • Apply the update.
  • REBOOT YOUR SYSTEM
  • Post a fresh Hijack This log

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#5 Ai.

Ai.
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 01 October 2006 - 03:45 PM

I get a "The file c:\windows\system32\drivers\atapi.sys is open or in use by another application." error during the inventory stage of the upgrade. It won't let me continue with the installation.

Edited by Ai., 01 October 2006 - 03:48 PM.


#6 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 02 October 2006 - 12:35 PM

Hey Ai.

Restore Ewido Files:

Some of the files Ewido quarantined are in fact legitimate files - they are false positives by Ewido.

You need to update Ewido. If you are having problems then use the manual updates.

The files need restoring:

1. Click Start > All Programs and open Ewido up
2. Select the Infections tab.
3. Select these and restore them:

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\SBLive\Program\AHQInit.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Microsoft Works\wkfud.exe
C:\Program Files\Norton AntiVirus\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\IME\TINTLGNT\tintsetp.exe.tmp
C:\WINDOWS\SYSTEM32\NeroCheck.exe
C:\WINDOWS\Updreg.exe


Please can you then boot in Safe Mode by pressing the F8 key continually whilst your computer starts up. The please run a full system scan and post the log back into this thread in your next reply.

Service Pack 1:

Please could you check if you have either of these two programs: Alcohol and Daemon Tools.

If you have either of these programs installed please could you uninstall them and then update to Service Pack 1. You can then re-install the programs once you have updated to Service Pack 1.

Let me know if this helps.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#7 Ai.

Ai.
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 03 October 2006 - 09:27 PM

Hi, sorry for the late reply.

I unquarantined the items you listed and ran Ewido in Safe Mode, like you told me to, and found some interesting results:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:19:14 PM 03/10/2006

+ Scan result:



HKU\S-1-5-21-2771580065-2752991226-3942243025-500\Software\Hiwire -> Adware.HiWire : No action taken.
HKU\S-1-5-21-2771580065-2752991226-3942243025-500\Software\Hiwire\MusicMatch -> Adware.HiWire : No action taken.
HKU\S-1-5-21-2771580065-2752991226-3942243025-500\Software\Hiwire\MusicMatch\Browser -> Adware.HiWire : No action taken.
HKU\S-1-5-21-2771580065-2752991226-3942243025-500\Software\Hiwire\MusicMatch\Faceplate -> Adware.HiWire : No action taken.
HKU\S-1-5-21-2771580065-2752991226-3942243025-500\Software\Hiwire\MusicMatch\History -> Adware.HiWire : No action taken.
HKU\S-1-5-21-2771580065-2752991226-3942243025-500\Software\Hiwire\MusicMatch\Resources -> Adware.HiWire : No action taken.
HKU\S-1-5-21-2771580065-2752991226-3942243025-500\Software\Hiwire\MusicMatch\Stations -> Adware.HiWire : No action taken.
HKU\S-1-5-21-2771580065-2752991226-3942243025-500\Software\Hiwire\MusicMatch\WebUpdate -> Adware.HiWire : No action taken.
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe -> Downloader.Agent.awf : No action taken.
C:\Program Files\Creative\SBLive\Program\AHQInit.exe -> Downloader.Agent.awf : No action taken.
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe -> Downloader.Agent.awf : No action taken.
C:\Program Files\Logitech\iTouch\iTouch.exe -> Downloader.Agent.awf : No action taken.
C:\Program Files\Microsoft Hardware\Mouse\point32.exe -> Downloader.Agent.awf : No action taken.
C:\Program Files\Microsoft Works\WksSb.exe -> Downloader.Agent.awf : No action taken.
C:\Program Files\Microsoft Works\wkfud.exe -> Downloader.Agent.awf : No action taken.
C:\Program Files\Norton AntiVirus\navapw32.exe -> Downloader.Agent.awf : No action taken.
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE -> Downloader.Agent.awf : No action taken.
C:\Program Files\QuickTime\qttask.exe -> Downloader.Agent.awf : No action taken.
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070604.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070605.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070606.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070607.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070608.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070609.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070610.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070611.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070612.EXE -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070613.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070614.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070615.EXE -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP578\A0070616.exe -> Downloader.Agent.awf : No action taken.
C:\WINDOWS\SYSTEM32\IME\TINTLGNT\tintsetp.exe.tmp -> Downloader.Agent.awf : No action taken.
C:\WINDOWS\SYSTEM32\NeroCheck.exe -> Downloader.Agent.awf : No action taken.
C:\WINDOWS\Updreg.exe -> Downloader.Agent.awf : No action taken.


::Report end

I quarantined everything. Judging by the results, it can be assumed that (from my last post)

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP577\A0070583.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP577\A0070584.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP577\A0070585.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).

are also infected with Downloader.Agent.awf?

#8 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 06 October 2006 - 01:03 PM

Did you try the Service Pack 1 instructions?
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#9 Ai.

Ai.
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 07 October 2006 - 12:52 AM

Hi,

I haven't tried the Service Pack 1 instructions yet. I decided to defragment this drive before attempting to install the service pack, as I keep hearing horror stories about system instability and inevitable reformats after service pack installations. I'll be installing Service Pack 1 tomorrow (Saturday), since it's too late to do anything tonight.

#10 Ai.

Ai.
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 08 October 2006 - 05:33 PM

Okay, I removed Alcohol 120% and installed SP1. It installed successfully, but when it had me reboot my computer, it took a very long time (~10 minutes) for Windows to load fully. Is this normal for a first-time-after-install reboot? I'm not sure if this is a reoccuring thing; I haven't rebooted my computer a second time after the install yet...

Edit: Nevermind; computer starts up at normal speed now.

And should I bother reinstalling Alcohol 120% now, or will you be having me upgrade to SP2 later? The SP2 install seems like it will also have problems with atapi.sys if I have Alcohol 120% or Daemon Tools installed.

Anyway, awaiting further cleaning instructions. :thumbsup:

Edited by Ai., 08 October 2006 - 11:25 PM.


#11 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 09 October 2006 - 12:31 PM

Hey Ai.

And should I bother reinstalling Alcohol 120% now, or will you be having me upgrade to SP2 later? The SP2 install seems like it will also have problems with atapi.sys if I have Alcohol 120% or Daemon Tools installed.


That is correct. Once your computer is completely clean and only when I'll give you instructions for updating to SP2. If the program caused problems whilst installing SP1 it would be advisable to not reinstall it until we have cleaned your computer up and installed SP2.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Kaspersky Online Scanner
Go to http://www.kaspersky.com/virusscanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with another HJT log.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#12 Ai.

Ai.
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 10 October 2006 - 06:54 PM

Heya, here are the logs you asked for.

ATF: Cleaned options for "Main" and for "Firefox," although for Firefox I opted to manually delete the cookies, since I have auto-logins set up for various websites that I do not remember login information to, and am currently unable to retrieve due to this malware disabling me from viewing SSL-encrypted webpages.

Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 10, 2006 4:49:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/10/2006
Kaspersky Anti-Virus database records: 230497
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 164451
Number of viruses found: 2
Number of infected objects: 14 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:10:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cert8.db Object is locked

skipped
C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\formhistory.dat Object is locked

skipped
C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\history.dat Object is locked

skipped
C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\key3.db Object is locked

skipped
C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\parent.lock Object is locked

skipped
C:\Documents and Settings\x\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked

skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked

skipped
C:\Documents and Settings\x\Local Settings\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\Cache\_CACHE_001_

Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\Cache\_CACHE_002_

Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\Cache\_CACHE_003_

Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\Cache\_CACHE_MAP_

Object is locked skipped
C:\Documents and Settings\x\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked

skipped
C:\Documents and Settings\x\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\x\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked

skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is

locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked

skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked

skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is

locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Program Files\Norton Personal Firewall\nisum.dat Object is locked skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070974.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070975.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070976.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070977.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070978.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070979.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070980.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070981.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070982.EXE Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070983.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070984.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070985.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070986.exe Infected: Trojan-Downloader.

Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP617\change.log Object is locked

skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked

skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#13 Ai.

Ai.
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 10 October 2006 - 06:56 PM

HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 4:51:02 PM, on 10/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Proxomitron\Proxomitron.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0

\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: TW_BrowserHook - {1E1B2879-88FF-11D2-8D96-FFFFAC95951F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700

series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Taskbar Wallpaper.lnk = C:\DOCUME~1\x\Desktop\Taskbar.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASHS~1.0\save.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001

\A\ERS_ENC.HTM
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft

Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common

Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference

2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft

Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file

missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program

Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.fanta.dk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/

kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/

fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/

SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...info.apple.com/

samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/

housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/

Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/

SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D0541EC-6314-41EC-95A7-17F4D563D541}: NameServer = 64.59.144.16,64.59.144.17
O20 - AppInit_DLLs:
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.

exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal

Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal

Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton

SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal

Firewall\SymProxySvc.exe

----

I also still have the objects quarantined from the time you told me to run Ewido under Safe Mode.

#14 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 11 October 2006 - 11:04 AM

Wordwrap:

Please post a new HijackThis log and in Notepad be sure to click on Format and place a check mark beside "word wrap" so the log will be easier to read. Repeat this for the Kaspersky log to.

Thanks
Jamie
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#15 Ai.

Ai.
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 11 October 2006 - 07:48 PM

Er, sorry about that; I knew something didn't look right. Hope this is better.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 10, 2006 4:49:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/10/2006
Kaspersky Anti-Virus database records: 230497
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 164451
Number of viruses found: 2
Number of infected objects: 14 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:10:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\cert8.db Object is locked skipped
C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\history.dat Object is locked skipped
C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\key3.db Object is locked skipped
C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\parent.lock Object is locked skipped
C:\Documents and Settings\x\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Mozilla\Firefox\Profiles\atc0j6fu.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\x\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\x\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\x\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Program Files\Norton Personal Firewall\nisum.dat Object is locked skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070974.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070975.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070976.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070977.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070978.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070979.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070980.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070981.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070982.EXE Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070983.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070984.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070985.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP580\A0070986.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP617\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users