Browser redirect woes using IE 7.0 and Firefox

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

3 Pages

1 2 3 >

Browser redirect woes using IE 7.0 and Firefox, Machine also had reboot problems

Options

tvhevh View Member Profile	Aug 31 2008, 05:49 PM Post #1
Authentic Member Group: Authentic Member Posts: 113 Joined: 16-March 05 From: Black Jack, MO Member No.: 27,940 Operating System: The computer I'm worrying about used to run Windows ME with 256 MB RAM, now it's running XP Home and 768 MB.	All: This apparently isn't my month for PC peace and tranquiliity. I spent a week getting the machine I'm using now happy while trying to update from Win2K Pro to XP Pro. That's done now, and the machine seems to be working fine, although I lost all my browser favorites/bookmarks and email address bok in the process. My other machine is a Dell Dimension 2100, and runs XP Home SP2. I decided to install SP3 on it, and upgrade my browser to Firefox 3.0. I did the browser upgrade with no trouble, then went ahead and tried to install SP3 through Windows Update--it informed me that it was available for download and installation. As far as I know, it was the automatic update notice that's part of XP. I tried to download and install, and it wouldn't. Since then, the machine has really slowed up, and won't reboot unless I fully power it down. When I use either browser (IE 7.0 or Firefox 3.0), I don't always go to the URL I put on the browser's command line. I For example, it won't go to Microsoft's support web page, or to What the Tech, for that matter, and when I do a search and select a website based on that search, I get redirected to another web page with additional selections not even remotely related to what I'm looking for. I've done a HJT scan, and here's the results. I'm also running an AVG virus scan at the moment. Thanks in advance--Tom vonHatten Logfile of HijackThis v1.99.1 Scan saved at 5:07:54 PM, on 8/31/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\program files\quicktime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Documents and Settings\All Users\Desktop\System Integrity\hijackthis\HijackThis.exe C:\WINDOWS\system32\svchost.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: POWERR~1.EXE O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\All Users\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\procreate Painter Classic\Help\wwhelp2.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Tomk View Member Profile	Sep 1 2008, 10:12 AM Post #2
Extrication Intern Group: Malware Team Posts: 3,286 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	Hi tvhevh, My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following: I will be working on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for the issues on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. This doesn't sound like a malware problem but lets take a look. Please download ATF Cleaner by Atribune. Download - ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. (If you use FireFox or the Opera browser To keep saved passwords, click No at the prompt.) It's normal after running ATF cleaner that the PC will be slower to boot the first time or two. Then Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location and post the results. Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it). Also "copy/paste" a new HijackThis log file into this thread. Also please describe how your computer behaves at the moment.

tvhevh View Member Profile	Sep 1 2008, 05:44 PM Post #3
Authentic Member Group: Authentic Member Posts: 113 Joined: 16-March 05 From: Black Jack, MO Member No.: 27,940 Operating System: The computer I'm worrying about used to run Windows ME with 256 MB RAM, now it's running XP Home and 768 MB.	Tomk: Did as you instructed. After using Anti-Malware, I rebooted. The PC wouldn't get past the "Windows is shutting down" screen, so I manually shut it down and restarted after 5 minutes of waiting. Reboot seemed to go OK. Tried to get to this website on that machine using Firefox---no problems. Here's the Anti-Malware log: Malwarebytes' Anti-Malware 1.25 Database version: 1103 Windows 5.1.2600 Service Pack 2 6:21:20 PM 9/1/2008 mbam-log-09-01-2008 (18-21-20).txt Scan type: Quick Scan Objects scanned: 54390 Time elapsed: 6 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 16 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 1 Files Infected: 18 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\Words (Adware.Rond) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\Words\unins000.dat (Adware.Rond) -> Quarantined and deleted successfully. C:\Program Files\Words\unins000.exe (Adware.Rond) -> Quarantined and deleted successfully. C:\Program Files\Words\words.exe (Adware.Rond) -> Quarantined and deleted successfully. C:\Program Files\Words\readme.txt (Adware.Rond) -> Quarantined and deleted successfully. C:\Program Files\Words\license.txt (Adware.Rond) -> Quarantined and deleted successfully. C:\Program Files\Words\dictionary.dic (Adware.Rond) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\sysrest32.exe (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\tdssadw.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\tdssl.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\tdssserf.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\tdssmain.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\tdssinit.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\tdsslog.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\tdssservers.dat (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\DRIVERS\tdssserv.sys (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Grace vonHatten\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Grace vonHatten\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. And here's the HJT log. The scan for this was performed after the reboot: Logfile of HijackThis v1.99.1 Scan saved at 6:30:19 PM, on 9/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\program files\quicktime\QTTask.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Documents and Settings\All Users\Desktop\System Integrity\hijackthis\HijackThis.exe C:\WINDOWS\system32\dwwin.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: POWERR~1.EXE O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\All Users\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\procreate Painter Classic\Help\wwhelp2.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe --TvH

Tomk View Member Profile	Sep 1 2008, 06:40 PM Post #4
Extrication Intern Group: Malware Team Posts: 3,286 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	tvhevh, Well you were so right. There were some real nasties hiding in there. Please either print out these instructions for reference or copy/paste them in notepad and save to your desktop for access when in safe mode Make all files and folders visible Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab. Clear "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Clear "Hide protected operating system files." Click Apply, and then click OK. We must disable certain protection programs that may interfere with our fix: AVG Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: ) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting. When you need to enable the AVG Resident Shield, ( I will let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting. SPYBOT TEATIMER Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected. On the left hand side, click on Tools, then click on the Resident Icon in the list. Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. Click on the "System Startup" icon in the List Uncheck the "TeaTimer" box and "OK" any prompts. If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted. Exit Spybot S&D when done. (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.] Please open HijackThis and run Do a system scan only Check the boxes next to ONLY the entries listed below(if present): O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\All Users\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing) O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab Close all programs except for HijackThis. Click on Fix checked A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. We Now Need To Boot Into Safemode Restart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc (BOOT SCREEEN). At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu. Select the option for Safe Mode using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. Using Windows Explorer (Windows Key + E), locate the following folder and DELETE it: C:\PROGRAM FILES\COMMON FILES\System\MOSearch <--This folder Restart your computer normally. Now lets double check that we didn't miss anything. Please go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply along with a new HijackThis log.

tvhevh View Member Profile	Sep 2 2008, 10:45 PM Post #5
Authentic Member Group: Authentic Member Posts: 113 Joined: 16-March 05 From: Black Jack, MO Member No.: 27,940 Operating System: The computer I'm worrying about used to run Windows ME with 256 MB RAM, now it's running XP Home and 768 MB.	Tomk: Ran the Kaspersky Online Scan. Here's the log: KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, September 2, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Tuesday, September 02, 2008 21:26:26 Records in database: 1183068 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ Scan statistics: Files scanned: 110881 Threat name: 4 Infected objects: 54 Suspicious objects: 0 Duration of the scan: 04:45:28 File name / Threat name / Threats count C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BFVA3RKM\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BFVA3RKM\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BFVA3RKM\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XQ0TJF0E\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XQ0TJF0E\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XQ0TJF0E\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XQ0TJF0E\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XQ0TJF0E\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XQ0TJF0E\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XQ0TJF0E\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4Z8WS6B\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4Z8WS6B\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4Z8WS6B\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4Z8WS6B\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4Z8WS6B\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\USXYXH2M\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\USXYXH2M\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\USXYXH2M\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\USXYXH2M\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\USXYXH2M\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\USXYXH2M\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\USXYXH2M\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\USXYXH2M\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZI76QMIN\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZI76QMIN\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZI76QMIN\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZI76QMIN\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZI76QMIN\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\All Users\Desktop\System Integrity\hijackthis\backups\backup-20070929-172951-970.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.as 1 C:\Documents and Settings\All Users\Desktop\System Integrity\hijackthis\backups\backup-20070929-172951-720.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1 C:\Documents and Settings\All Users\Desktop\System Integrity\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\079B9C83d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\C53B1B2Ed01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\0322E347d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\87F9F60Cd01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\4B0A6AF3d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\5955DE06d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\D99AB9A0d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\7D51B731d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\2B070878d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\7E6C5E8Ad01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\71942A7Fd01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\73F7FAF5d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\58DEC9B2d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\D99BB3C7d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Rose vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gijy9efi.default\Cache\E34F0ABFd01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Grace vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdb4440b.default\Cache\C88B927Dd01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Grace vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdb4440b.default\Cache\6FF635C3d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Grace vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdb4440b.default\Cache\66952FF2d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Grace vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdb4440b.default\Cache\9A0EE49Fd01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Grace vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdb4440b.default\Cache\283AEB5Fd01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Grace vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdb4440b.default\Cache\7D94ADDEd01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Grace vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdb4440b.default\Cache\936BDCC2d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 C:\Documents and Settings\Grace vonHatten\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdb4440b.default\Cache\936BDCC7d01 Infected: Trojan-Downloader.JS.Agent.cnn 1 The selected area was scanned. And here's the HJT log: Logfile of HijackThis v1.99.1 Scan saved at 11:40:39 PM, on 9/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\program files\quicktime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\All Users\Desktop\System Integrity\hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: POWERR~1.EXE O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\procreate Painter Classic\Help\wwhelp2.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe --TvH

Tomk View Member Profile	Sep 2 2008, 11:22 PM Post #6
Extrication Intern Group: Malware Team Posts: 3,286 Joined: 27-December 07 From