log
-
log
I read through what do to before posting a log, followed all steps, as close as i could. Now what? Any help would be appreciated.
winxp
Logfile of HijackThis v1.99.1
Scan saved at 11:09:31 AM, on 9/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\outpostupdate.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLHostManager.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLServiceHost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLServiceHost.exe
C:\Documents and Settings\Woods\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5B77C2FA-0016-D290-0E87-BEABD0843FDC} - C:\WINDOWS\System32\cdmagent\cdluiepmku.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {D3DF5C03-E44B-4ABD-A6E5-D5DD842FAD64} - C:\WINDOWS\System32\anpb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126250378\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Woods\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~2\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~2\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter: text/html - {DAFC21FD-71B6-4DC0-A015-7BA9B3912FDF} - C:\WINDOWS\System32\anpb.dll
O18 - Filter: text/plain - {DAFC21FD-71B6-4DC0-A015-7BA9B3912FDF} - C:\WINDOWS\System32\anpb.dll
O21 - SSODL: AOL Connectivity Services - {F56E4627-DB11-A762-655F-16421C5B5735} - c:\progra~1\common~1\aol\acs\winvhiqp5.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
-
You have got to go get Service Pack 1/microsoft security updates before we can do any fixing.
Do not get Service Pack 2 on an infected machine like yours.
Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
-
Ok, i completed the updates, and the only windows update that appeared was for service pack 2, which i did not install..
-
Welcome back,
Preparing for the fix, save all fix tools to desktop
This browser will help in keeping the infection from coming back which is a common occurence with IE.
Why don't you download Firefox browser and use it thru this fix and maybe that will help.
Firefox download page:---www.mozilla.org/products/firefox/
It's more secure then IE anyway, you can switch back and forth as I do.
And it is uninstallable thru add/remove programs.
It will not take very long to download at least it didn't own my machine.
Make sure you can see hidden files.
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.
Next,
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.
Next,
Please download CWShredder from here( this is the older version), then exit no run yet http://www.thatcomputerguy.us/downloads-cat4.html
Download About:Buster from here:
www.besttechie.net/tools/AboutBuster5.zip
Or here:
www.malwarebytes.biz/AboutBuster5.zip
Or here:
http://majorgeeks.com/download4289.html
Unzip it to its own DESKTOP folder, right click open area on the desktop, click new, the new folder, name the folder Aboutbuster . It is VITAL that it be unzipped.
Please open/run the program and check for updates. After you update it exit.
Do not run the actual scan/fix until instructed below.
Download and save to your Desktop, don't run it now, we will use it later:
http://securityresponse.symantec.com...r/FxAgentB.exe
Download CCleaner from here:
http://www.majorgeeks.com/download4191.html
or here:
http://www.filehippo.com/download_ccleaner.html
don't run the tool yet please, install only
Install it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner. Just use the windows tab that is up front by default.
1.Uncheck "Cookies" under "Internet Explorer".
2.If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
After downloading all needed tools post a new HJT log please.
Last edited by Neal; 23-09-2005 at 09:35 PM.
-
Ok, mission completed.
Logfile of HijackThis v1.99.1
Scan saved at 12:37:14 AM, on 9/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\System32\outpostupdate.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLServiceHost.exe
C:\Documents and Settings\Woods\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5B77C2FA-0016-D290-0E87-BEABD0843FDC} - C:\WINDOWS\System32\cdmagent\cdluiepmku.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {D3DF5C03-E44B-4ABD-A6E5-D5DD842FAD64} - C:\WINDOWS\System32\anpb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126250378\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Woods\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~2\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~2\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter: text/html - {DAFC21FD-71B6-4DC0-A015-7BA9B3912FDF} - C:\WINDOWS\System32\anpb.dll
O18 - Filter: text/plain - {DAFC21FD-71B6-4DC0-A015-7BA9B3912FDF} - C:\WINDOWS\System32\anpb.dll
O21 - SSODL: AOL Connectivity Services - {F56E4627-DB11-A762-655F-16421C5B5735} - c:\progra~1\common~1\aol\acs\winvhiqp5.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
-
OK here we go,
Disconnect from the internet---pull the plug
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Run HijackThis
Click on scan and put a check on the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5B77C2FA-0016-D290-0E87-BEABD0843FDC} - C:\WINDOWS\System32\cdmagent\cdluiepmku.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {D3DF5C03-E44B-4ABD-A6E5-D5DD842FAD64} - C:\WINDOWS\System32\anpb.dll (file missing)
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Filter: text/html - {DAFC21FD-71B6-4DC0-A015-7BA9B3912FDF} - C:\WINDOWS\System32\anpb.dll
O18 - Filter: text/plain - {DAFC21FD-71B6-4DC0-A015-7BA9B3912FDF} - C:\WINDOWS\System32\anpb.dll
Make sure all browser and all Windows Explorer windows are closed and click on fix.
Shut down all running programs includeing HJT make sure that you are not connected to the internet!
Double-click the FxAgentB.exe file to start the removal tool.
Save the log it makes and post it in your next reply.
Please do NOT start any other applications until the removal tool exits and the computer is restarted.
Restart the computer/Back into safe mode
Run the removal tool again to ensure that the system is clean.
Stay in safe mode
Run the first CWShredder and click fix let the tool run thru the fix. then do the same on the second one
Start Ccleaner and click: Run Cleaner./use windows tab only
Run Adaware and perform a full system scan.
Reboot and post a new HijackThis log.
-
Done.
Fix Agent:
Symantec Backdoor.Agent.B Removal Tool 1.0.1.2
C:\System Volume Information: (not scanned)
Backdoor.Agent.B has not been found on your computer.
Log 3:
Logfile of HijackThis v1.99.1
Scan saved at 9:09:25 PM, on 9/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLServiceHost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLServiceHost.exe
C:\Documents and Settings\Woods\Desktop\HijackThis.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {D3DF5C03-E44B-4ABD-A6E5-D5DD842FAD64} - C:\WINDOWS\System32\anpb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126250378\ee\AOLHostManager.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~2\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~2\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O21 - SSODL: AOL Connectivity Services - {F56E4627-DB11-A762-655F-16421C5B5735} - c:\progra~1\common~1\aol\acs\winvhiqp5.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
-
Scan with HJT again and put a check next to this item, making sure all browser windows are closed includeing this one.
O2 - BHO: (no name) - {D3DF5C03-E44B-4ABD-A6E5-D5DD842FAD64} - C:\WINDOWS\System32\anpb.dll (file missing)
Then:
Lets see what some virus scans can uncover and we will go from there.
Get the stinger here:
http://vil.nai.com/vil/stinger/
Download it to another computer if need be, and bring it to the affected computer on floppy disk.
It will kill the top 53 virus files if any are found there
then,
Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/product..._principal.htm
Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html
These scans will take more than an hour to complete, so make sure you have time to let them run thru. Save the Panda scan log and the BitDefender log and post them back here please with a new Hijackthis log.
Thanks.
-
Completed.
BitScan:
Scanned File
Status
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP105\A0024264.exe
Infected with: Win32.Worm.Mytob.1.Gen
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP105\A0024264.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP105\A0024264.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP29\A0003755.exe
Infected with: Trojan.Downloader.Dyfuca.EI
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP29\A0003755.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP29\A0003755.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP29\A0003769.exe
Infected with: Trojan.Downloader.Intexp.C
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP29\A0003769.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP29\A0003769.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP31\A0004591.exe
Infected with: Trojan.Agent.AY
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP31\A0004591.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP31\A0004623.exe
Infected with: Trojan.Agent.AY
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP31\A0004623.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP31\A0004624.exe
Infected with: Trojan.Agent.AY
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP31\A0004624.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP32\A0004683.exe
Infected with: Trojan.Agent.AY
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP32\A0004683.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP32\A0004684.exe
Infected with: BehavesLike:Win32.ExplorerHijack
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP32\A0004684.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP32\A0004684.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP75\A0017535.dll
Infected with: Trojan.Downloader.Murlo.AR
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP75\A0017535.dll
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP75\A0017536.exe
Infected with: Win32.Worm.Mytob.1.Gen
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP75\A0017536.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP75\A0017536.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP79\A0018100.exe
Suspected of: BehavesLike:Trojan.Downloader
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP79\A0018100.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP79\A0018100.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP79\A0018101.exe
Infected with: Trojan.Downloader.Dyfuca.EI
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP79\A0018101.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP79\A0018101.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP79\A0018105.dll
Infected with: Trojan.Downloader.Dyfuca.EG
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP79\A0018105.dll
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP79\A0018105.dll
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP85\A0021260.exe=>(NSIS o)=>zlib_nsis0001
Suspected of: BehavesLike:Trojan.Downloader
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP85\A0021260.exe=>(NSIS o)=>zlib_nsis0001
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP85\A0021260.exe=>(NSIS o)=>zlib_nsis0001
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP85\A0021260.exe=>(NSIS o)
Update failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP85\A0021262.exe
Detected with: Adware.Smartpops.C
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP85\A0021262.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP85\A0021262.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022483.dll
Infected with: Trojan.Spy.Troy.A
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022483.dll
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022483.dll
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022486.exe
Infected with: Trojan.Orse.F
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022486.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022486.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022487.dll
Infected with: Trojan.Proxy.Agent.DF
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022487.dll
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022487.dll
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022488.exe
Infected with: Trojan.Orse.F
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022488.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP96\A0022488.exe
Deleted
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP98\A0023776.exe
Infected with: Trojan.Dropper.Small.QN
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP98\A0023776.exe
Disinfection failed
C:\System Volume Information\_restore{BD77E5C7-7D98-405D-B3EE-C6B612F87575}\RP98\A0023776.exe
Deleted
C:\WINDOWS\Downloaded Program Files\mp3.ocx
Infected with: Trojan.Downloader.Agent.MT
C:\WINDOWS\Downloaded Program Files\mp3.ocx
Disinfection failed
C:\WINDOWS\Downloaded Program Files\mp3.ocx
Deleted
C:\WINDOWS\tct101.dll
Infected with: Trojan.Downloader.Dyfuca.EG
C:\WINDOWS\tct101.dll
Disinfection failed
C:\WINDOWS\tct101.dll
Deleted
Active scan:
Incident Status Location
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Woods\Application Data\Sskknwrd.dll
Virus:Trj/Downloader.ERF Disinfected C:\Program Files\Common Files\AOL\ACS\winvhiqp5.dll
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\mp3.ocx
Adware:adware program No disinfected C:\WINDOWS\Downloaded Program Files\on.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\hosts
Virus:Trj/Agent.ACV Disinfected C:\WINDOWS\system32\outpostupdate.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\tct101.dll
Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 12:01:10 AM, on 9/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLHostManager.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\Program Files\Common Files\AOL\1126250378\ee\AOLServiceHost.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Woods\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126250378\ee\AOLHostManager.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~2\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~2\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O21 - SSODL: AOL Connectivity Services - {F56E4627-DB11-A762-655F-16421C5B5735} - c:\progra~1\common~1\aol\acs\winvhiqp5.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
-
Hi, nice job,
Make sure you can see hidden files.
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.
Reboot into safe mode and hunt down and delete these:
C:\Documents and Settings\Woods\Application Data\Sskknwrd.dll < file only
C:\WINDOWS\Downloaded Program Files\mp3.ocx < file only
C:\WINDOWS\Downloaded Program Files\on.exe < file only
C:\WINDOWS\tct101.dll < file only
By the way your log is clean. 
Newbie
