Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicking Link In Google List Goes To Incorrect Site.


  • This topic is locked This topic is locked
14 replies to this topic

#1 Mottto

Mottto

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 26 October 2006 - 11:53 PM

Hi,
I'd appreciate some help with this problem.

As you can see it'a fairly old machine which has been stable and trouble-free for years. I run AVG, AdAware, and Spybot weekly usually with nothing more sinister than cookies appearing in the results. The only odd result I can recall was W32.Small.ddx in the most recent scans ( found by Spybot, I think ).

The current problem started a couple of days back when I was surprised to be taken to a different site when I clicked on a link in a list of results from a Google search ( as it happened, looking for reasons the computer was running slower than usual ).

Thanks for any ideas to resolve this,

John Williams.


Logfile of HijackThis v1.99.1
Scan saved at 2:22:37 pm, on 27/10/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bom.gov.au/products/IDN65092/IDN65092.94774.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Country Energy's CEinternet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxycc.turboweb.net.au:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: OzEmail - {EF1A71C0-2BE1-11D3-98C3-9E5B1FB41612} - http://www.ozemail.com.au/ (file missing) (HKCU)
O9 - Extra button: ANZWERS - {EF1A71C1-2BE1-11D3-98C3-9E5B1FB41612} - http://www.anzwers.com.au/ (file missing) (HKCU)
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npzzatif.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=http://www.ceinternet.com.au
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32.cab
O16 - DPF: {C97AF44D-92C4-11D3-A53B-005004678019} (McAfee Clinic Cleaner Control Class) - http://download.mcafee.com/molbin/Clinic/c...ore/clnctrl.cab
O16 - DPF: {41453CC4-288E-11D3-A53B-005004678019} (McAfee AppClean Appclean Class) - http://download.mcafee.com/molbin/Clinic/c...an/appclean.cab
O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
O16 - DPF: {06D5218D-079C-11D3-B2D1-00A0C98684AC} (McAfee Hardware Finder Control) - http://download.mcafee.com/molbin/clinic/hwf/mghwinfo.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} - http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/v...an/mgavinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {D30CAFF0-087B-11D3-82D8-006094695CEC} (McAfee PC Clinic FaManager Class) - http://download.mcafee.com/molbin/Clinic/F...eck/mgfactl.cab
O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab
O16 - DPF: {6BF52A52-394A-11D3-B153-00C04F79FAA6} (Windows Media Player) - http://activex.microsoft.com/activex/contr...en/nsmp2inf.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilChange/MGOcCtl_new.cab
O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/OilChange/MGOcFilt.cab
O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://esignalevents.webex.com/client/v_my...bex/ieatgpc.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:29 PM

Posted 31 October 2006 - 11:41 PM

Hello John,

You are using an ancient version: Internet Explorer v5.51 SP2 (5.51.4807.2300)
and are wide open to every malware on the Interent.

You need to upgrade to at least Internet Explorer v6.00 SP1 as soon as possible.
With this upgrade you get reinfected in a very short time.


Go here and run the online scan, allow it to delete whatever is found:

Panda ActiveScan

Once you are on the Panda site click the Scan your PC button
[*]A new window will open...click the Check Now button
[*]Enter your Country
[*]Enter your State/Province
[*]Enter your e-mail address and click send
[*]Select either Home User or Company
[*]Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes, so be patient)
[*]When download is complete, click on Local Disks to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Note any thing that can't be fixed

Please post the contents of Panda scan

*********************

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the log.

Edited by SifuMike, 31 October 2006 - 11:59 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Mottto

Mottto
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 01 November 2006 - 03:41 AM

Hi SifuMike,
Here is the Panda Activescan report.

John.

#4 Mottto

Mottto
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 01 November 2006 - 03:44 AM

Oops, try again.



Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\22f10fxk.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\22f10fxk.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\22f10fxk.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\22f10fxk.default\cookies.txt[.tribalfusion.com/]
Adware:adware/fastvideoplayer Not disinfected C:\WINDOWS\INF\fastvideoplayer.inf
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\TEMP\NoadwareBkupTemp\peter@ad.yieldmanager[2].txt
Spyware:Cookie/Enhance Not disinfected C:\WINDOWS\TEMP\NoadwareBkupTemp\peter@c.enhance[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\TEMP\NoadwareBkupTemp\peter@burstnet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\peter@image.checkmystats.com[2].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\peter@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Tucows Not disinfected C:\WINDOWS\Cookies\peter@tucows[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\peter@cgi-bin[3].txt
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Cookies\peter@overture[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\WINDOWS\Cookies\peter@drivecleaner[1].txt
Spyware:Cookie/WUpd Not disinfected C:\WINDOWS\Cookies\peter@revenue[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\WINDOWS\Cookies\peter@www.drivecleaner[1].txt
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Cookies\peter@2o7[2].txt
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Cookies\peter@perf.overture[1].txt
Spyware:Cookie/Enhance Not disinfected C:\WINDOWS\Cookies\peter@c.enhance[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\Cookies\peter@searchportal.information[1].txt
Spyware:Cookie/Enhance Not disinfected C:\WINDOWS\Cookies\peter@c.enhance[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\WINDOWS\Cookies\peter@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Cookies\peter@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\WINDOWS\Cookies\peter@fastclick[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\WINDOWS\Cookies\peter@statse.webtrendslive[2].txt
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Cookies\peter@overture[3].txt
Spyware:Cookie/Clickbank Not disinfected C:\WINDOWS\Cookies\peter@clickbank[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Cookies\peter@serving-sys[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Cookies\peter@bs.serving-sys[1].txt
Spyware:Cookie/Hitslink Not disinfected C:\WINDOWS\Cookies\peter@counter.hitslink[1].txt
Spyware:Cookie/Tucows Not disinfected C:\WINDOWS\Cookies\peter@tucows[1].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Cookies\peter@toplist[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Cookies\peter@atdmt[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@linkexchange[1].txt
Spyware:Cookie/Tucows Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@tucows(2).txt
Spyware:Cookie/Freestats Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@freestats[1].txt
Spyware:Cookie/Preferences Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@preferences.txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@go(1).txt
Spyware:Cookie/LinkExchange Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@linkexchange[2].txt
Spyware:Cookie/Preferences Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@preferences[2].txt
Spyware:Cookie/Tucows Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@tucows[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@ccbill[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@linkexchange[3].txt
Spyware:Cookie/Preferences Not disinfected C:\WINDOWS\Profiles\Peter\Cookies\john@preferences[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC23-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC23-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC24-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC24-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC25-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC25-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC27-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC27-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Advertising Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC28-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC28-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/2o7 Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC29-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC29-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC2A-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC2A-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC2B-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC2B-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC2C-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC2C-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC2D-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC2D-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Weborama Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC2E-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC2E-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC2F-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC2F-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC31-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC31-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Yadro Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC32-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC32-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Atwola Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC33-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC33-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC34-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC34-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Belnk Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC35-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC35-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/Belnk Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC36-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC36-1E8E-11DB-98C7-0040F4CEF65B}.txt]
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{CE26CC0C-1E8E-11DB-98C7-0040F4CEF65B}\{CE26CC37-1E8E-11DB-98C7-0040F4CEF65B}.txt[{CE26CC37-1E8E-11DB-98C7-0040F4CEF65B}.txt]

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:29 PM

Posted 01 November 2006 - 02:26 PM

hello Mottto,

Panda scan just found mainly cookies.

Be sure to run the BitDefender Online scan and post the log. It may find more malware. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Mottto

Mottto
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 01 November 2006 - 06:16 PM

Hi SifuMike,
Here is the BitDefender Online Scan report. It took nine hours plus to run, probably because I hadn't fully disabled the antivirus application.

One other thing I should mention is that after my initial post I looked through the various threads in the HiJackThis section and decided that I might have a "Wareout" problem, so I ran Fixware. I also attach its output file.

John.

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B56FEC4F0400-7C89-AD11-D8CC-0E33C93C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\duumd


Random Runs removed from HKLM
"csuzq.exe"=-
"dmuud.exe"=-
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be legitimate FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...

Misc files


Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM\CSUZQ.EXE 51,803 2006-10-15
C:\WINDOWS\SYSTEM\DMUUD.EXE 61,022 1999-04-23

****************************************************


BitDefender Online Scanner



Scan report generated at: Thu, Nov 02, 2006 - 05:03:37





Scan path: A:\;C:\;D:\;Z:\;







Statistics

Time
09:11:46

Files
637352

Folders
2830

Boot Sectors
2

Archives
93003

Packed Files
76012




Results

Identified Viruses
9

Infected Files
15

Suspect Files
0

Warnings
0

Disinfected
1

Deleted Files
14




Engines Info

Virus Definitions
479709

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins
13

Archive plugins
38

Unpack plugins
5

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx=>(message 1330)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>pension.exe
Infected with: Joke.Stupid.A

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx=>(message 1330)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>pension.exe
Disinfection failed

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx=>(message 1330)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>pension.exe
Deleted

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx=>(message 1330)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip
Updated

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx=>(message 1330)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>XmasBonus.exe
Infected with: Trojan.Bonusjok.EXE

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx=>(message 1330)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>XmasBonus.exe
Disinfection failed

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx=>(message 1330)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>XmasBonus.exe
Deleted

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx=>(message 1330)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip
Updated

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx=>(message 1330)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx=>(message 1330)
Updated

C:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx
Update failed

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx=>(message 7963)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>pension.exe
Infected with: Joke.Stupid.A

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx=>(message 7963)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>pension.exe
Disinfection failed

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx=>(message 7963)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>pension.exe
Deleted

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx=>(message 7963)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip
Updated

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx=>(message 7963)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>XmasBonus.exe
Infected with: Trojan.Bonusjok.EXE

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx=>(message 7963)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>XmasBonus.exe
Disinfection failed

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx=>(message 7963)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip=>XmasBonus.exe
Deleted

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx=>(message 7963)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)=>Xmas.zip
Updated

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx=>(message 7963)=>[Subject: [TradersGroup] Re: Andrews Regression ][Date: Thu, 17 Dec 1998 19:24:44 -0800]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx=>(message 7963)
Updated

C:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx
Update failed

C:\Program Files\Outlook Express\williaj\Inbox.dbx=>(message 1850)=>[Subject: [DGL] Quick DGL calculator][Date: Tue, 13 Sep 2005 22:23:49 EDT]=>(MIME part)=>QuickDGL.zip=>QuickDGL.exe
Infected with: Trojan.Muldrop.1923.H

C:\Program Files\Outlook Express\williaj\Inbox.dbx=>(message 1850)=>[Subject: [DGL] Quick DGL calculator][Date: Tue, 13 Sep 2005 22:23:49 EDT]=>(MIME part)=>QuickDGL.zip=>QuickDGL.exe
Disinfection failed

C:\Program Files\Outlook Express\williaj\Inbox.dbx=>(message 1850)=>[Subject: [DGL] Quick DGL calculator][Date: Tue, 13 Sep 2005 22:23:49 EDT]=>(MIME part)=>QuickDGL.zip=>QuickDGL.exe
Deleted

C:\Program Files\Outlook Express\williaj\Inbox.dbx=>(message 1850)=>[Subject: [DGL] Quick DGL calculator][Date: Tue, 13 Sep 2005 22:23:49 EDT]=>(MIME part)=>QuickDGL.zip
Updated

C:\Program Files\Outlook Express\williaj\Inbox.dbx=>(message 1850)=>[Subject: [DGL] Quick DGL calculator][Date: Tue, 13 Sep 2005 22:23:49 EDT]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Inbox.dbx=>(message 1850)
Updated

C:\Program Files\Outlook Express\williaj\Inbox.dbx
Update failed

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1370)=>[Subject: Pt III greatest treasure hunt][Date: Tue, 28 Aug 2001 13:19:55 -0500]=>(MIME part)=>Pt III greatest treasure hunt.doc.bat
Infected with: I-Worm.Sircam.A

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1370)=>[Subject: Pt III greatest treasure hunt][Date: Tue, 28 Aug 2001 13:19:55 -0500]=>(MIME part)=>Pt III greatest treasure hunt.doc.bat
Deleted

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1370)=>[Subject: Pt III greatest treasure hunt][Date: Tue, 28 Aug 2001 13:19:55 -0500]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1370)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx
Update failed

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1391)=>[Subject: Returned mail: User unknown][Date: Tue, 28 Aug 2001 23:54:34 -0400 (EDT)]=>(MIME part)=>(message)=>[Subject: botfish][Date: Wed, 29 Aug 2001 13:55:30 +1000]=>(MIME part)=>botfish.zip.bat
Infected with: I-Worm.Sircam.A

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1391)=>[Subject: Returned mail: User unknown][Date: Tue, 28 Aug 2001 23:54:34 -0400 (EDT)]=>(MIME part)=>(message)=>[Subject: botfish][Date: Wed, 29 Aug 2001 13:55:30 +1000]=>(MIME part)=>botfish.zip.bat
Deleted

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1391)=>[Subject: Returned mail: User unknown][Date: Tue, 28 Aug 2001 23:54:34 -0400 (EDT)]=>(MIME part)=>(message)=>[Subject: botfish][Date: Wed, 29 Aug 2001 13:55:30 +1000]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1391)=>[Subject: Returned mail: User unknown][Date: Tue, 28 Aug 2001 23:54:34 -0400 (EDT)]=>(MIME part)=>(message)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1391)=>[Subject: Returned mail: User unknown][Date: Tue, 28 Aug 2001 23:54:34 -0400 (EDT)]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1391)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx
Update failed

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1392)=>[Subject: Mail System Error - Returned Mail][Date: Wed, 29 Aug 2001 13:36:28 +1000]=>(MIME part)=>(message)=>[Subject: ccastles][Date: Wed, 29 Aug 2001 13:37:13 +1000]=>(MIME part)=>ccastles.zip.pif
Infected with: I-Worm.Sircam.A

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1392)=>[Subject: Mail System Error - Returned Mail][Date: Wed, 29 Aug 2001 13:36:28 +1000]=>(MIME part)=>(message)=>[Subject: ccastles][Date: Wed, 29 Aug 2001 13:37:13 +1000]=>(MIME part)=>ccastles.zip.pif
Deleted

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1392)=>[Subject: Mail System Error - Returned Mail][Date: Wed, 29 Aug 2001 13:36:28 +1000]=>(MIME part)=>(message)=>[Subject: ccastles][Date: Wed, 29 Aug 2001 13:37:13 +1000]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1392)=>[Subject: Mail System Error - Returned Mail][Date: Wed, 29 Aug 2001 13:36:28 +1000]=>(MIME part)=>(message)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1392)=>[Subject: Mail System Error - Returned Mail][Date: Wed, 29 Aug 2001 13:36:28 +1000]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1392)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx
Update failed

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1393)=>[Subject: Mail System Error - Returned Mail][Date: Wed, 29 Aug 2001 13:23:03 +1000]=>(MIME part)=>(message)=>[Subject: ccastles][Date: Wed, 29 Aug 2001 13:24:20 +1000]=>(MIME part)=>ccastles.zip.pif
Infected with: I-Worm.Sircam.A

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1393)=>[Subject: Mail System Error - Returned Mail][Date: Wed, 29 Aug 2001 13:23:03 +1000]=>(MIME part)=>(message)=>[Subject: ccastles][Date: Wed, 29 Aug 2001 13:24:20 +1000]=>(MIME part)=>ccastles.zip.pif
Deleted

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1393)=>[Subject: Mail System Error - Returned Mail][Date: Wed, 29 Aug 2001 13:23:03 +1000]=>(MIME part)=>(message)=>[Subject: ccastles][Date: Wed, 29 Aug 2001 13:24:20 +1000]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1393)=>[Subject: Mail System Error - Returned Mail][Date: Wed, 29 Aug 2001 13:23:03 +1000]=>(MIME part)=>(message)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1393)=>[Subject: Mail System Error - Returned Mail][Date: Wed, 29 Aug 2001 13:23:03 +1000]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1393)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx
Update failed

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1397)=>[Subject: investigacion][Date: Tue, 28 Aug 2001 09:46:11 -0500]=>(MIME part)=>investigacion.doc.pif
Infected with: I-Worm.Sircam.A

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1397)=>[Subject: investigacion][Date: Tue, 28 Aug 2001 09:46:11 -0500]=>(MIME part)=>investigacion.doc.pif
Deleted

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1397)=>[Subject: investigacion][Date: Tue, 28 Aug 2001 09:46:11 -0500]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx=>(message 1397)
Updated

C:\Program Files\Outlook Express\williaj\Prospecting.dbx
Update failed

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1163)=>[Subject: Rechnung ][Date: Wed, 27 Sep 2006 16:50:53 +0200]=>(MIME part)=>Rechnung.zip=>Rechnung.exe
Infected with: Trojan.Clicker.AU

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1163)=>[Subject: Rechnung ][Date: Wed, 27 Sep 2006 16:50:53 +0200]=>(MIME part)=>Rechnung.zip=>Rechnung.exe
Disinfection failed

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1163)=>[Subject: Rechnung ][Date: Wed, 27 Sep 2006 16:50:53 +0200]=>(MIME part)=>Rechnung.zip=>Rechnung.exe
Deleted

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1163)=>[Subject: Rechnung ][Date: Wed, 27 Sep 2006 16:50:53 +0200]=>(MIME part)=>Rechnung.zip
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1163)=>[Subject: Rechnung ][Date: Wed, 27 Sep 2006 16:50:53 +0200]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1163)
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx
Update failed

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1533)=>[Subject: Firma sucht Mitarbeiter!][Date: Wed, 20 Sep 2006 05:21:14 -0300]=>(MIME part)=>WC9921564.zip=>WC9921564.exe
Infected with: Trojan.Spy.Goldun.FY

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1533)=>[Subject: Firma sucht Mitarbeiter!][Date: Wed, 20 Sep 2006 05:21:14 -0300]=>(MIME part)=>WC9921564.zip=>WC9921564.exe
Disinfection failed

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1533)=>[Subject: Firma sucht Mitarbeiter!][Date: Wed, 20 Sep 2006 05:21:14 -0300]=>(MIME part)=>WC9921564.zip=>WC9921564.exe
Deleted

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1533)=>[Subject: Firma sucht Mitarbeiter!][Date: Wed, 20 Sep 2006 05:21:14 -0300]=>(MIME part)=>WC9921564.zip
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1533)=>[Subject: Firma sucht Mitarbeiter!][Date: Wed, 20 Sep 2006 05:21:14 -0300]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 1533)
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx
Update failed

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 2646)=>[Subject: Re: it I Michael :thumbsup:][Date: Wed, 30 Aug 2006 07:30:48 +0200]=>(MIME part)=>Kodac dc 009.JPG.zip=>Kodac dc 009.JPG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..exe
Infected with: Trojan.Gobrena.V

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 2646)=>[Subject: Re: it I Michael :flowers:][Date: Wed, 30 Aug 2006 07:30:48 +0200]=>(MIME part)=>Kodac dc 009.JPG.zip=>Kodac dc 009.JPG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..exe
Deleted

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 2646)=>[Subject: Re: it I Michael :huh:][Date: Wed, 30 Aug 2006 07:30:48 +0200]=>(MIME part)=>Kodac dc 009.JPG.zip
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 2646)=>[Subject: Re: it I Michael :huh:][Date: Wed, 30 Aug 2006 07:30:48 +0200]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 2646)
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx
Update failed

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 5444)=>[Subject: eBay International AG Rechnung vom 29.][Date: Thu, 29 Jun 2006 16:48:33 -0200]=>(MIME part)=>Ebay-Rechnung.pdf.zip=>Ebay-Rechnung.pdf.exe
Infected with: Trojan.Clagger.C

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 5444)=>[Subject: eBay International AG Rechnung vom 29.][Date: Thu, 29 Jun 2006 16:48:33 -0200]=>(MIME part)=>Ebay-Rechnung.pdf.zip=>Ebay-Rechnung.pdf.exe
Disinfection failed

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 5444)=>[Subject: eBay International AG Rechnung vom 29.][Date: Thu, 29 Jun 2006 16:48:33 -0200]=>(MIME part)=>Ebay-Rechnung.pdf.zip=>Ebay-Rechnung.pdf.exe
Deleted

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 5444)=>[Subject: eBay International AG Rechnung vom 29.][Date: Thu, 29 Jun 2006 16:48:33 -0200]=>(MIME part)=>Ebay-Rechnung.pdf.zip
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 5444)=>[Subject: eBay International AG Rechnung vom 29.][Date: Thu, 29 Jun 2006 16:48:33 -0200]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx=>(message 5444)
Updated

C:\Program Files\Outlook Express\williaj\Deleted Items.dbx
Update failed

C:\Program Files\Outlook Express\williaj\Windsurfing.dbx=>(message 329)=>[Subject: the novel][Date: Tue, 5 Dec 2000 21:45:58 +1100]=>(MIME part)=>stasis.doc
Infected with: W97M.Marker.C

C:\Program Files\Outlook Express\williaj\Windsurfing.dbx=>(message 329)=>[Subject: the novel][Date: Tue, 5 Dec 2000 21:45:58 +1100]=>(MIME part)=>stasis.doc
Disinfected

C:\Program Files\Outlook Express\williaj\Windsurfing.dbx=>(message 329)=>[Subject: the novel][Date: Tue, 5 Dec 2000 21:45:58 +1100]=>(MIME part)
Updated

C:\Program Files\Outlook Express\williaj\Windsurfing.dbx=>(message 329)
Updated

C:\Program Files\Outlook Express\williaj\Windsurfing.dbx
Update failed

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:29 PM

Posted 01 November 2006 - 06:40 PM

Hi Mottto,


after my initial post I looked through the various threads in the HiJackThis section and decided that I might have a "Wareout" problem, so I ran Fixware. I also attach its output file.


I do not think you have Wareout. I could have seen the symptoms in your log if you had it.

It looks like Panda and BitDefender virus scanners do not find the W32.Small.ddx malware. :thumbsup:

I did some research and found the Kaspersky will find W32.Small.ddx (if you still have it) :flowers:

You should disable your antivirus application before running it.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Then post the results from the Kapersky scan.

Note that Kaspersky does not remove the viruses, it only lists them.

Edited by SifuMike, 01 November 2006 - 06:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:29 PM

Posted 01 November 2006 - 06:44 PM

You have a suspicious file we need to check. :thumbsup:

You will need to configure Windows to show Hidden files.

Go to Jotti Online File Scanner copy and paste C:\WINDOWS\SYSTEM\CSUZQ.EXE to the upload and scan it.

Let me know the results.
Copy and paste the output to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Mottto

Mottto
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 02 November 2006 - 02:40 AM

Hi SifuMike,
Here is the Kapersky output:

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Thursday, November 02, 2006 6:14:32 PM
Operating System: Microsoft Windows 98 SE
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/11/2006
Kaspersky Anti-Virus database records: 237288


Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
a:\
c:\
d:\
z:\

Scan Statistics
Total number of scanned objects89510
Number of viruses found4
Number of infected objects15 / 0
Number of suspicious objects0
Duration of the scan process04:29:12

Infected Object NameVirus NameLast Action
c:\WINDOWS\History\History.IE5\index.dat Object is locked skipped

c:\WINDOWS\History\History.IE5\MSHist012006110220061103\index.dat Object
is locked skipped

c:\WINDOWS\Cookies\index.dat Object is locked skipped

c:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck
Object is locked skipped

c:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object
is locked skipped

c:\WINDOWS\Downloaded Program Files\ieatgpc.dll Infected:
not-a-virus:AdWare.Win32.WebEx skipped

c:\WINDOWS\Local Settings\Application Data\Microsoft\Internet
Explorer\MSIMGSIZ.DAT Object is locked skipped

c:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Object is locked skipped

c:\WINDOWS\WIN386.SWP Object is locked skipped

c:\WINDOWS\SchedLog.Txt Object is locked skipped

c:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44
-0800]/UNNAMED/Xmas.zip/pension.exe Infected:
not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44 -0800]/UNNAMED/Xmas.zip
Infected: not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44 -0800]/UNNAMED Infected:
not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx Mail MS Internet
Mail: infected - 3 skipped

c:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44
-0800]/UNNAMED/Xmas.zip/pension.exe Infected:
not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44 -0800]/UNNAMED/Xmas.zip
Infected: not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44 -0800]/UNNAMED Infected:
not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx Mail MS
Internet Mail: infected - 3 skipped

c:\Program Files\Outlook Express\williaj\Folders.dbx Object is locked
skipped

c:\Program Files\Outlook Express\williaj\Inbox.dbx Object is locked
skipped

c:\Program Files\Outlook Express\williaj\Offline.dbx Object is locked
skipped

c:\Program Files\Outlook Express\williaj\cleanup.log Object is locked
skipped

c:\Program Files\Outlook Express\williaj\Prospecting.dbx/[From
=?ISO-8859-1?Q?A=2EK=2E=20Williams?= ][Date Tue, 28 Aug 2001 13:19:55
-0500]/UNNAMED/Pt Infected: Email-Worm.Win32.Sircam.c skipped

c:\Program Files\Outlook Express\williaj\Prospecting.dbx/[From
=?ISO-8859-1?Q?A=2EK=2E=20Williams?= ][Date Tue, 28 Aug 2001 13:19:55
-0500]/UNNAMED Infected: Email-Worm.Win32.Sircam.c skipped

c:\Program Files\Outlook Express\williaj\Prospecting.dbx Mail MS Outlook
5: infected - 2 skipped

c:\Program Files\Outlook Express\williaj\Pop3uidl.dbx Object is locked
skipped

c:\Program Files\Outlook Express\williaj\Windsurfing.dbx/[From "NikkiNik"
][Date Tue, 5 Dec 2000 21:45:58 +1100]/UNNAMED/stasis.doc Infected:
Virus.MSWord.Marker.fq2 skipped

c:\Program Files\Outlook Express\williaj\Windsurfing.dbx/[From "NikkiNik"
][Date Tue, 5 Dec 2000 21:45:58 +1100]/UNNAMED Infected:
Virus.MSWord.Marker.fq2 skipped

c:\Program Files\Outlook Express\williaj\Windsurfing.dbx Mail MS Outlook
5: infected - 2 skipped

c:\Program Files\Sygate\SPF\debug.log Object is locked skipped

c:\Program Files\Sygate\SPF\syslog.log Object is locked skipped

c:\Program Files\Sygate\SPF\seclog.log Object is locked skipped

c:\Program Files\Sygate\SPF\tralog.log Object is locked skipped

c:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped

Scan process completed.

*******************************************************
When I tried to run the Jotti Online File Scanner it said I was trying to upload a file with zero bytes in it. "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file".
When I had a look for C:\WINDOWS\SYSTEM\CSUZQ.EXE using Windows Explorer I could see no sign of it, although it was set to show all hidden files.

Wasn't it one of the files mentioned in the Fixware report ?

John.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:29 PM

Posted 02 November 2006 - 12:59 PM

Hi Mottto,

Kaspersky did not find W32.Small.ddx, so we can it is gone. :thumbsup:

You can delete the following form your Outlook Express:

c:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44
-0800]/UNNAMED/Xmas.zip/pension.exe Infected:
not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44 -0800]/UNNAMED/Xmas.zip
Infected: not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Inbox.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44 -0800]/UNNAMED Infected:
not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44
-0800]/UNNAMED/Xmas.zip/pension.exe Infected:
not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44 -0800]/UNNAMED/Xmas.zip
Infected: not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Mail\Deleted Items.mbx/[From Tom
Cruckshank ][Date Thu, 17 Dec 1998 19:24:44 -0800]/UNNAMED Infected:
not-virus:BadJoke.Win16.Stupid.a skipped

c:\Program Files\Outlook Express\williaj\Prospecting.dbx/[From
=?ISO-8859-1?Q?A=2EK=2E=20Williams?= ][Date Tue, 28 Aug 2001 13:19:55
-0500]/UNNAMED/Pt Infected: Email-Worm.Win32.Sircam.c skipped

c:\Program Files\Outlook Express\williaj\Prospecting.dbx/[From
=?ISO-8859-1?Q?A=2EK=2E=20Williams?= ][Date Tue, 28 Aug 2001 13:19:55
-0500]/UNNAMED Infected: Email-Worm.Win32.Sircam.c skipped

c:\Program Files\Outlook Express\williaj\Windsurfing.dbx/[From "NikkiNik"
][Date Tue, 5 Dec 2000 21:45:58 +1100]/UNNAMED/stasis.doc Infected:
Virus.MSWord.Marker.fq2 skipped

c:\Program Files\Outlook Express\williaj\Windsurfing.dbx/[From "NikkiNik"
][Date Tue, 5 Dec 2000 21:45:58 +1100]/UNNAMED Infected:
Virus.MSWord.Marker.fq2 skipped

When I had a look for C:\WINDOWS\SYSTEM\CSUZQ.EXE using Windows Explorer I could see no sign of it, although it was set to show all hidden files.
Wasn't it one of the files mentioned in the Fixware report ?


Yes, it was mentioned and said it was removed from registry. The file may have been removed also.
The name of the file is wierd so I wanted to check with Jotti.

If you can find CSUZQ.EXE, lets play safe and rename CSUZQ.EXE to New_CSUZQ.EXE. Then you can always go back and change the name back if you are having problems. If you cant find it, that is OK.


How is your computer running?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Mottto

Mottto
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 03 November 2006 - 02:42 AM

Hi SifuMike,
Will delete those infected emails.

As far as I can tell everything is back to "normal". I haven't had any redirection problems at all ( though I haven't been using this machine for purposes other than working with you all that much ), even when retrying the same search/links where I first noted the problem.

After I've deleted the emails I'll give it a thorough workout and get back to you.

John.

#12 Mottto

Mottto
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 04 November 2006 - 09:59 PM

Hi SifuMike,
I've given the machine a pretty good workout and everything seems fine.
I think you have sorted the problem(s).
Apart from getting rid of the misdirection problem, the machine is overall quicker, and "cleaner" in the way it runs.

I'll upgrade to IE6.

One final question. Should I do anything about those "016" entries in the initial HJT report that refer to McAfee products ? I haven't used any McAfee products on this machine for some time. It looks as though the removal processes I used mustn't have worked 100%.

John.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:29 PM

Posted 04 November 2006 - 10:14 PM

Hi John,

I'll upgrade to IE6.

That upgrade to IE6 is a must. Without it you will get infected in a very short time.

One final question. Should I do anything about those "016" entries in the initial HJT report that refer to McAfee products ? I haven't used any McAfee products on this machine for some time. It looks as though the removal processes I used mustn't have worked 100%.


Since you are not using McAfee, "fix" all the O16's with McAffee in it.

Please read and follow
How did I get infected?, With steps so it does not happen again!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Mottto

Mottto
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 06 November 2006 - 07:37 PM

Hi SifuMike,
Looks to me as though we are now finished with sorting out my problem.

I've read the link in your last post and have implemented the necessary protections.

Thanks very much for your guidance.

Regards,
John.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:29 PM

Posted 06 November 2006 - 07:50 PM

Hi John,

Thats good to hear, and you are very welcome for the help.
I hope your computer continues to run smoothly for you. :thumbsup:

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users