WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
PC 'Jacked and Nearly Inoperable
Started by
monza
, Dec 02 2005 04:20 PM
-
This topic is locked
41 replies to this topic
#31
monza
-
- Authentic Member
-
- 33 posts
Authentic Member
Posted 03 January 2006 - 02:48 PM
Register to Remove
#32
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 03 January 2006 - 06:46 PM
monza,
Let me tell ya, I have been working logs at TC for over a year and your log is the most mysterious one that I have ever worked.
I would like you to run a few online virus scanners, have them set to Auto-Clean if there is an option, I know Panda will let you save a log file, do so and paste it into this thread along with anything the other scanners found and could not clean. When done, also post a new HJt log.
Free Online Virus Scans
Panda Active Scan
Trendmicro Housecall
BitDefender Online Scan
Let me tell ya, I have been working logs at TC for over a year and your log is the most mysterious one that I have ever worked.
I would like you to run a few online virus scanners, have them set to Auto-Clean if there is an option, I know Panda will let you save a log file, do so and paste it into this thread along with anything the other scanners found and could not clean. When done, also post a new HJt log.
Free Online Virus Scans
Panda Active Scan
Trendmicro Housecall
BitDefender Online Scan
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#33
monza
-
- Authentic Member
-
- 33 posts
Authentic Member
Posted 04 January 2006 - 12:46 PM
I ran all three online scanners. Here are the results.
Panda Activescan:
Incident Status Location
Spyware:spyware/smitfraud Not disinfected C:\WINDOWS\SYSTEM32\wp.bmp
Adware:adware/ilookup Not disinfected C:\WINDOWS\SYSTEM32\xbox_round1.bmp
Adware:adware/popuper Not disinfected C:\Documents and Settings\Larry Hathcock\Favorites\Buy Viagra Online.url
Adware:adware/cws Not disinfected C:\Documents and Settings\Larry Hathcock\Favorites\Online Poker.url
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini
Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\Windows
Adware:adware/beginto Not disinfected C:\WINDOWS\SYSTEM32\cache32_rtneg4
Adware:adware/elitebar Not disinfected C:\Documents and Settings\Larry Hathcock\Favorites\Casino & Carrers
Spyware:spyware/betterinet Not disinfected Windows Registry
Housecall:
Scanning and Cleaning Complete
HouseCall did not find any potential threats on your computer. Make sure you run HouseCall once a week to keep your PC clean and malware free.
Don’t want to be bothered to run HouseCall every week? Get active security protection, with PC-cillin Internet Security 2006.
PC-cillin ™ Internet Security combines antivirus security with personal firewall protection to block all types of viruses, worms, Trojans, and hackers . It also identifies and removes spyware, blocks spam, and guards against phishing and pharming attacks. Plus, it protects your wireless network by alerting you when an intruder uses your Wi-Fi connection. Try it free for 30-days.
Download PC-cillin Internet Security today!
Panda Activescan:
Incident Status Location
Spyware:spyware/smitfraud Not disinfected C:\WINDOWS\SYSTEM32\wp.bmp
Adware:adware/ilookup Not disinfected C:\WINDOWS\SYSTEM32\xbox_round1.bmp
Adware:adware/popuper Not disinfected C:\Documents and Settings\Larry Hathcock\Favorites\Buy Viagra Online.url
Adware:adware/cws Not disinfected C:\Documents and Settings\Larry Hathcock\Favorites\Online Poker.url
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini
Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\Windows
Adware:adware/beginto Not disinfected C:\WINDOWS\SYSTEM32\cache32_rtneg4
Adware:adware/elitebar Not disinfected C:\Documents and Settings\Larry Hathcock\Favorites\Casino & Carrers
Spyware:spyware/betterinet Not disinfected Windows Registry
Housecall:
Scanning and Cleaning Complete
HouseCall did not find any potential threats on your computer. Make sure you run HouseCall once a week to keep your PC clean and malware free.
Don’t want to be bothered to run HouseCall every week? Get active security protection, with PC-cillin Internet Security 2006.
PC-cillin ™ Internet Security combines antivirus security with personal firewall protection to block all types of viruses, worms, Trojans, and hackers . It also identifies and removes spyware, blocks spam, and guards against phishing and pharming attacks. Plus, it protects your wireless network by alerting you when an intruder uses your Wi-Fi connection. Try it free for 30-days.
Download PC-cillin Internet Security today!
#34
monza
-
- Authentic Member
-
- 33 posts
Authentic Member
Posted 04 January 2006 - 12:53 PM
the bitdefender log
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180000.VBN=>(Quarantine-PE)
Infected with: BehavesLike:Trojan.WUDisable
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180000.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180000.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180001.VBN=>(Quarantine-PE)
Infected with: BehavesLike:Trojan.WUDisable
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180001.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180001.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180014.VBN=>(Quarantine-PE)
Infected with: Trojan.Muldrop.2548.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180014.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180014.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180015.VBN=>(Quarantine-PE)
Infected with: Trojan.Muldrop.2548.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180015.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180015.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00000.VBN=>(Quarantine-PE)
Infected with: Trojan.Registrator.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00000.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00000.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00001.VBN=>(Quarantine-PE)
Infected with: Trojan.EliteBar.C
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00001.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00002.VBN=>(Quarantine-PE)
Detected with: Adware.ToolBar.EliteBar.AU
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00002.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00002.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00005.VBN=>(Quarantine-PE)
Infected with: Trojan.Registrator.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00005.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00005.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600000.VBN=>(Quarantine-PE)
Infected with: Trojan.Registrator.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600000.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600000.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600001.VBN=>(Quarantine-PE)
Infected with: Trojan.EliteBar.C
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600001.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600002.VBN=>(Quarantine-PE)
Infected with: Trojan.Agent.FL
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600002.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600002.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00000.VBN=>(Quarantine-PE)
Infected with: Trojan.Agent.AY
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00000.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00001.VBN=>(Quarantine-PE)
Infected with: BehavesLike:Trojan.WUDisable
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00001.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00001.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00002.VBN=>(Quarantine-PE)
Infected with: Trojan.Pokapoka62.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00002.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00002.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00003.VBN=>(Quarantine-PE)
Infected with: Trojan.Registrator.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00003.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00003.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00006.VBN=>(Quarantine-PE)
Infected with: Dropped:Trojan.Downloader.Small.ABD
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00006.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00006.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00007.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00007.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00007.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00008.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00008.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00008.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00009.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00009.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00009.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000A.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000A.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000A.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000B.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000B.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000B.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000C.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000C.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000C.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000D.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000D.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000D.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000E.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000E.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000E.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000F.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000F.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000F.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00010.VBN=>(Quarantine-PE)
Infected with: Backdoor.Lamebot.A
eidted by illukka:
i replaced the HTML of BD's report with text, and deleted the unnecessary post with HTML.
when saving BD reports, dont do "save" or "save as", because it will save a html file. instead copy the text, then paste it into notepad
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180000.VBN=>(Quarantine-PE)
Infected with: BehavesLike:Trojan.WUDisable
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180000.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180000.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180001.VBN=>(Quarantine-PE)
Infected with: BehavesLike:Trojan.WUDisable
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180001.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180001.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180014.VBN=>(Quarantine-PE)
Infected with: Trojan.Muldrop.2548.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180014.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180014.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180015.VBN=>(Quarantine-PE)
Infected with: Trojan.Muldrop.2548.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180015.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01180015.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00000.VBN=>(Quarantine-PE)
Infected with: Trojan.Registrator.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00000.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00000.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00001.VBN=>(Quarantine-PE)
Infected with: Trojan.EliteBar.C
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00001.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00002.VBN=>(Quarantine-PE)
Detected with: Adware.ToolBar.EliteBar.AU
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00002.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00002.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00005.VBN=>(Quarantine-PE)
Infected with: Trojan.Registrator.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00005.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00005.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600000.VBN=>(Quarantine-PE)
Infected with: Trojan.Registrator.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600000.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600000.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600001.VBN=>(Quarantine-PE)
Infected with: Trojan.EliteBar.C
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600001.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600002.VBN=>(Quarantine-PE)
Infected with: Trojan.Agent.FL
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600002.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02600002.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00000.VBN=>(Quarantine-PE)
Infected with: Trojan.Agent.AY
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00000.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00001.VBN=>(Quarantine-PE)
Infected with: BehavesLike:Trojan.WUDisable
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00001.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00001.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00002.VBN=>(Quarantine-PE)
Infected with: Trojan.Pokapoka62.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00002.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00002.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00003.VBN=>(Quarantine-PE)
Infected with: Trojan.Registrator.B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00003.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00003.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00006.VBN=>(Quarantine-PE)
Infected with: Dropped:Trojan.Downloader.Small.ABD
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00006.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00006.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00007.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00007.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00007.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00008.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00008.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00008.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00009.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00009.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00009.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000A.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000A.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000A.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000B.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000B.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000B.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000C.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000C.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000C.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000D.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000D.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000D.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000E.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000E.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000E.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000F.VBN=>(Quarantine-PE)
Infected with: Trojan.Startpage.NK
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000F.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C0000F.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C00010.VBN=>(Quarantine-PE)
Infected with: Backdoor.Lamebot.A
eidted by illukka:
i replaced the HTML of BD's report with text, and deleted the unnecessary post with HTML.
when saving BD reports, dont do "save" or "save as", because it will save a html file. instead copy the text, then paste it into notepad
Edited by illukka, 04 January 2006 - 02:12 PM.
#35
monza
-
- Authentic Member
-
- 33 posts
Authentic Member
Posted 04 January 2006 - 12:56 PM
Please note from the BitDefender scan logs that the reason why there were so many infections found is that I had it search within archives. Most of them, except the last 10 or so, were inside of the Symantic Quarintine.
Here is the new HJT log after the other scans:
Logfile of HijackThis v1.99.1
Scan saved at 1:54:11 PM, on 1/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Documents and Settings\All Users\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.templebaptistofdalton.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120002357368
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PDUTJFCBS - Sysinternals - www.sysinternals.com - C:\DOCUME~1\LARRYH~1\LOCALS~1\Temp\PDUTJFCBS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: XKPC - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Billy\LOCALS~1\Temp\XKPC.exe
O23 - Service: YISSTOWNUWGPN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Billy\LOCALS~1\Temp\YISSTOWNUWGPN.exe
Here is the new HJT log after the other scans:
Logfile of HijackThis v1.99.1
Scan saved at 1:54:11 PM, on 1/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Documents and Settings\All Users\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.templebaptistofdalton.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120002357368
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PDUTJFCBS - Sysinternals - www.sysinternals.com - C:\DOCUME~1\LARRYH~1\LOCALS~1\Temp\PDUTJFCBS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: XKPC - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Billy\LOCALS~1\Temp\XKPC.exe
O23 - Service: YISSTOWNUWGPN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Billy\LOCALS~1\Temp\YISSTOWNUWGPN.exe
#36
monza
-
- Authentic Member
-
- 33 posts
Authentic Member
Posted 04 January 2006 - 01:01 PM
I also wanted to mention that if you copy the html code from the BitDefender log and paste it in notepad, you can save it as an html file. It will then be viewable in your browser. I'm sure you already knew this, but I just wnated to confirm it. 
edited by illukka: there is an easier way, see above
edited by illukka: there is an easier way, see above
Edited by illukka, 04 January 2006 - 02:23 PM.
#37
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 04 January 2006 - 07:36 PM
Monza,
It looks like at one time that you had a Smitfraud infection, all the scans may have removed part of it. There are bits and pieces left that need to be removed.
Download Pocket Killbox
* Open Pocket Killbox
* Copy and paste this entire path into Full Path of File to delete
* Set it to Delete on Reboot
* Tick the box that says End Explorer shell while killing file
* Click on the Red circle with the white X
* It will ask you to confirm the deletion...Say yes
* It will ask you to reboot, say yes
Highlight all the files and there paths in the quote box and then hit Control C to copy them to the clipboard. Then in the box that says Paste entire path into Full Path of File to delete, paste it in.
Then boot into Safemode and make sure that windows is set to show all files and folders and look for the files in RED and make sure there gone. If not, delete the ones if any that are still present.
To Enter SAFEMODE
* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD
SHOW HIDDEN FILES AND FOLDERS
* Click on MY COMPUTER
* Then on your C: Drive
* Then to TOOLS/ FOLDER OPTIONS/ VIEW
* Choose the radio button to SHOW HIDDEN FILES AND FOLDERS
* Take the checkmark out of HIDE EXTENSIONS FOR KNOWN FILE TYPES
* Then APPLY/ OK
* Don't forget to reverse this once your computer is clean
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\kwv2.dat
C:\WINDOWS\ubber60.ini
C:\WINDOWS\SYSTEM32\cache32_rtneg4
C:\WINDOWS\SYSTEM32\wp.bmp
C:\WINDOWS\SYSTEM32\xbox_round1.bmp
Reboot normally and let me know how your system is running at the moment.
Ken
It looks like at one time that you had a Smitfraud infection, all the scans may have removed part of it. There are bits and pieces left that need to be removed.
Download Pocket Killbox
* Open Pocket Killbox
* Copy and paste this entire path into Full Path of File to delete
* Set it to Delete on Reboot
* Tick the box that says End Explorer shell while killing file
* Click on the Red circle with the white X
* It will ask you to confirm the deletion...Say yes
* It will ask you to reboot, say yes
Highlight all the files and there paths in the quote box and then hit Control C to copy them to the clipboard. Then in the box that says Paste entire path into Full Path of File to delete, paste it in.
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\kwv2.dat
C:\WINDOWS\ubber60.ini
C:\WINDOWS\SYSTEM32\cache32_rtneg4
C:\WINDOWS\SYSTEM32\wp.bmp
C:\WINDOWS\SYSTEM32\xbox_round1.bmp
Then boot into Safemode and make sure that windows is set to show all files and folders and look for the files in RED and make sure there gone. If not, delete the ones if any that are still present.
To Enter SAFEMODE
* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD
SHOW HIDDEN FILES AND FOLDERS
* Click on MY COMPUTER
* Then on your C: Drive
* Then to TOOLS/ FOLDER OPTIONS/ VIEW
* Choose the radio button to SHOW HIDDEN FILES AND FOLDERS
* Take the checkmark out of HIDE EXTENSIONS FOR KNOWN FILE TYPES
* Then APPLY/ OK
* Don't forget to reverse this once your computer is clean
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\kwv2.dat
C:\WINDOWS\ubber60.ini
C:\WINDOWS\SYSTEM32\cache32_rtneg4
C:\WINDOWS\SYSTEM32\wp.bmp
C:\WINDOWS\SYSTEM32\xbox_round1.bmp
Reboot normally and let me know how your system is running at the moment.
Ken
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#38
monza
-
- Authentic Member
-
- 33 posts
Authentic Member
Posted 20 January 2006 - 03:58 PM
Ok, I ran killbox on the files listed. When I tried to find them manually, they were not there. So, either they are gone or they are only created by another file when they are running.
Here is an ewido scan I ran recently:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 4:50:34 PM, 1/5/2006
+ Report-Checksum: 35F977C9
+ Scan result:
HKU\S-1-5-21-1957994488-1708537768-854245398-1004\Software\DNS -> Adware.Shorty : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
::Report End
Here is the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 2:11:06 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Documents and Settings\All Users\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.templebaptistofdalton.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120002357368
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PDUTJFCBS - Sysinternals - www.sysinternals.com - C:\DOCUME~1\LARRYH~1\LOCALS~1\Temp\PDUTJFCBS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: XKPC - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Billy\LOCALS~1\Temp\XKPC.exe
O23 - Service: YISSTOWNUWGPN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Billy\LOCALS~1\Temp\YISSTOWNUWGPN.exe
The system seems to be stable right now. I am hoping that all the files related to any viruses are now gone.
Here is an ewido scan I ran recently:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 4:50:34 PM, 1/5/2006
+ Report-Checksum: 35F977C9
+ Scan result:
HKU\S-1-5-21-1957994488-1708537768-854245398-1004\Software\DNS -> Adware.Shorty : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Billy\Application Data\Mozilla\Profiles\default\5hfgx0vn.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Larry Hathcock\Application Data\Mozilla\Profiles\default\3dc6024g.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
::Report End
Here is the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 2:11:06 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Documents and Settings\All Users\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.templebaptistofdalton.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120002357368
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PDUTJFCBS - Sysinternals - www.sysinternals.com - C:\DOCUME~1\LARRYH~1\LOCALS~1\Temp\PDUTJFCBS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: XKPC - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Billy\LOCALS~1\Temp\XKPC.exe
O23 - Service: YISSTOWNUWGPN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Billy\LOCALS~1\Temp\YISSTOWNUWGPN.exe
The system seems to be stable right now. I am hoping that all the files related to any viruses are now gone.
#39
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 20 January 2006 - 05:47 PM
Hey Monza,
Your log is looking good
It looks like we got rid of it all. Glad your system is running well again.
Here are some free programs and tips for keeping your system up to date, and to help keep all the riff raff out of your system.
* Download and Install CCleaner, Click on RUN TOOL, when you run the Issues Scan and it asks
you to back up the registry Say Yes.
Now that your clean, we need to erase all possible older infected files that may still be lurking on your system.
* Clean out your TEMP FILES
* This procedure should be run from SAFEMODE for better results.
To Enter SAFEMODE
* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD
* Go to My Computer/ C: Drive/ Documents and Settings/ Local Settings/ Every User on this Computer
and delete all the contents of the Temp Folder
* Go to My Computer/ C:/ Windows/ Temp and delete all the contents of the Temp Folder
* Go to My Computer/ C:/ Windows/ Prefetch and remove all the contents of the Prefetch Folder.
But not the Prefetch folder itself.
NOW RE-BOOT NORMALLY
* Open INTERNET EXPLORER
* Click on the TOOLS MENU
* Then INTERNET OPTIONS
* At the GENERAL TAB (which should be the first tab you are currently on),
* click on the DELETE FILES BUTTON and put a checkmark in DELETE ALL OFFLINE CONTENT.
* Then press the OK BUTTON . This may take quite a while, so do not be alarmed with how long it takes.
* When it is done, your Temporary Internet Files will now be deleted.
Now Empty your Recycle Bin
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your
system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
* Right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.
Reboot your System
Turn ON System Restore.
* Right-click My Computer.
* ClickProperties.
* Click the System Restore tab.
* UN-Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.
* Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You can name the restore point anything you like, something that you can remember
* Make sure that your ANTI-VIRUS SOFTWARE is up to date and run a full scan at least once aweek.
* Here are Free Anti-Virus Programs if you need one
AVG Free Edition
AntVir Personal Edition
* Spybot Search and Destroy 1.4
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
* Ad-Aware SE Personal 1.06
Check for Updates and run a Full System Scan on a regular basis.
* Spyware Blaster It will prevent most spyware from ever being installed.
* Spyware Guard It offers realtime protection from spyware installation attempts.
* Win Patrol This program will warn you when any changes are being made to your system and
give you the option to deny the change.
* IE- Spyad IE-Spyad places over 4000 web sites and domains
in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed,
although you will still be able to connect to the sites.
* Firefox Browser
It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use
them both. When it asks you if you want it to be your default browser, say NO and take the checkmark out of the box to ask you again. After you use this
for awhile, you will want to make it your default.
* Thunderbird Mail There companion mail program was highly favored in PCWorld Magazine,
this has a good spam filter and is more secure than Outlook Express.
* Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't
access the internet without it.
* WINDOWS UPDATES - Enable Automatic Updates
Right click on MY COMPUTER/Click on PROPERTIES/ AUTOMATIC UPDATES and put a mark in the radio button
DOWNLOAD UPDATES FOR ME BUT LET ME CHOOSE WHEN TO INSTALL THEM.
* Go to START/ CONTROL PANEL> PERFROMANCE AND MAINTENANCE> REARRANGE ITEMS ON YOUR HARD DISK TO MAKE PROGRAMS RUN FASTER
This is the Windows Disk Defragger, run this maybe once or twice a month to keep your system running good. The first time you run it, it may take awhile.
Thanks for using Tom Coyote,
Ken
Your log is looking good
It looks like we got rid of it all. Glad your system is running well again.Here are some free programs and tips for keeping your system up to date, and to help keep all the riff raff out of your system.
* Download and Install CCleaner, Click on RUN TOOL, when you run the Issues Scan and it asks
you to back up the registry Say Yes.
Now that your clean, we need to erase all possible older infected files that may still be lurking on your system.
* Clean out your TEMP FILES
* This procedure should be run from SAFEMODE for better results.
To Enter SAFEMODE
* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD
* Go to My Computer/ C: Drive/ Documents and Settings/ Local Settings/ Every User on this Computer
and delete all the contents of the Temp Folder
* Go to My Computer/ C:/ Windows/ Temp and delete all the contents of the Temp Folder
* Go to My Computer/ C:/ Windows/ Prefetch and remove all the contents of the Prefetch Folder.
But not the Prefetch folder itself.
NOW RE-BOOT NORMALLY
* Open INTERNET EXPLORER
* Click on the TOOLS MENU
* Then INTERNET OPTIONS
* At the GENERAL TAB (which should be the first tab you are currently on),
* click on the DELETE FILES BUTTON and put a checkmark in DELETE ALL OFFLINE CONTENT.
* Then press the OK BUTTON . This may take quite a while, so do not be alarmed with how long it takes.
* When it is done, your Temporary Internet Files will now be deleted.
Now Empty your Recycle Bin
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your
system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
* Right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.
Reboot your System
Turn ON System Restore.
* Right-click My Computer.
* ClickProperties.
* Click the System Restore tab.
* UN-Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.
* Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You can name the restore point anything you like, something that you can remember
* Make sure that your ANTI-VIRUS SOFTWARE is up to date and run a full scan at least once aweek.
* Here are Free Anti-Virus Programs if you need one
AVG Free Edition
AntVir Personal Edition
* Spybot Search and Destroy 1.4
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
* Ad-Aware SE Personal 1.06
Check for Updates and run a Full System Scan on a regular basis.
* Spyware Blaster It will prevent most spyware from ever being installed.
* Spyware Guard It offers realtime protection from spyware installation attempts.
* Win Patrol This program will warn you when any changes are being made to your system and
give you the option to deny the change.
* IE- Spyad IE-Spyad places over 4000 web sites and domains
in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed,
although you will still be able to connect to the sites.
* Firefox Browser
It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use
them both. When it asks you if you want it to be your default browser, say NO and take the checkmark out of the box to ask you again. After you use this
for awhile, you will want to make it your default.
* Thunderbird Mail There companion mail program was highly favored in PCWorld Magazine,
this has a good spam filter and is more secure than Outlook Express.
* Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't
access the internet without it.
* WINDOWS UPDATES - Enable Automatic Updates
Right click on MY COMPUTER/Click on PROPERTIES/ AUTOMATIC UPDATES and put a mark in the radio button
DOWNLOAD UPDATES FOR ME BUT LET ME CHOOSE WHEN TO INSTALL THEM.
* Go to START/ CONTROL PANEL> PERFROMANCE AND MAINTENANCE> REARRANGE ITEMS ON YOUR HARD DISK TO MAKE PROGRAMS RUN FASTER
This is the Windows Disk Defragger, run this maybe once or twice a month to keep your system running good. The first time you run it, it may take awhile.
Thanks for using Tom Coyote,
Ken
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#40
monza
-
- Authentic Member
-
- 33 posts
Authentic Member
Posted 20 January 2006 - 11:26 PM
Thanks for all your help!!!
Register to Remove
#41
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 21 January 2006 - 08:10 AM
Monza,
Your more than welcome, glad we could help.
Ken
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#42
illukka
-
- Authentic Member
-
- 834 posts
Retired Staff-Malware Expert
Posted 25 January 2006 - 05:46 AM
Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.
Coyote's Installed programs for prevention:
http://forums.tomcoy...showtopic=31418
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.
Coyote's Installed programs for prevention:
http://forums.tomcoy...showtopic=31418
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
2 user(s) are reading this topic
0 members, 2 guests, 0 anonymous users
