newbie with TrojanHorse (and others?)
-
newbie with TrojanHorse (and others?)
Hello, new guy here. my friend refered me, said you helped him out alot with his problem.
AVG found trojanhorse startpage.21.BI
my internet explorer also has about.blank
i ran:
CC cleaner
spybot search and destroy -- it found CoolWWWSearch, which it couldnt erase
Pest Patrol -- found CWS.Homesearch which it couldn't clean
and then Hijack this.
here is my hijack file. any help will be appreciated!!! and i will gladly donate.
Mark
Logfile of HijackThis v1.99.1
Scan saved at 10:45:39 AM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\2.03\mouse32a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\croy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\DOCUME~1\Nicole\LOCALS~1\Temp\676.tmp.exe
C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\appuo32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Class - {DE169790-8483-BF6B-344F-D83EAEB513E2} - C:\WINDOWS\sdkgl32.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FLMMEMOREX203] C:\Program Files\Browser Mouse\2.03\mouse32a.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [croy.exe] C:\WINDOWS\croy.exe
O4 - HKLM\..\Run: [675.tmp] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O4 - HKLM\..\Run: [676.tmp] C:\DOCUME~1\Nicole\LOCALS~1\Temp\676.tmp.exe
O4 - HKLM\..\Run: [675.tmp.exe] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O4 - HKLM\..\Run: [676.tmp.exe] C:\DOCUME~1\Nicole\LOCALS~1\Temp\676.tmp.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\CA\eTrust PestPatrol\core\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potb_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/28b5cdad...p/RdxIE601.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/p...im/install.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O20 - Winlogon Notify: geeda - geeda.dll (file missing)
O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
-
Welcome to DAL,
First thing let's do is run a Trojan scanner over your system and clean out as much as possible. I would like for you to run the scan from safe mode explained below:
Safe Mode-by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter then run the Ewido scan please. Saving the log for me and post it when you come back with a new hijackthis log.
Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.
5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.
Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
Prepareing for the rest of the fix
Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:If not there then procede with rest of instructions
Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service
Please make sure it is exactly the same written as above, because there are also legit services that look very much the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.
Doubleclick on the service(s). In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.
Do the same above for the other services if present
Then:
Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Network Security Service(if present) and press OK. OK any prompts, close HijackThis, and restart your computer.
Do the same for the others if present
If those services are not there, all could be or none could be there or maybe just one. If none there just skip all of the above.
If you download Firefox browser it should make this go a lot easier and quicker, be sure to make Firefox your default browser.
Firefox download page:---www.mozilla.org/products/firefox/
Download and install Adaware, uncheck "show help file" and "perform full system scan" at the end of the installing routine, perform the update and close Adaware. You will need it later/not yet.
Download and save to your Desktop, don't run it now, we will use it later:
http://securityresponse.symantec.com...r/FxAgentB.exe
Next,
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.
Download About:Buster from here:
http://majorgeeks.com/download4289.html
Unzip it to its own DESKTOP folder, right click open area on the desktop, click new, the new folder, name the folder Aboutbuster . It is VITAL that it be unzipped.
Please open/run the program and check for updates. After you update it exit.
Do not run the actual scan/fix until instructed.
OK, after you do all of that come back with a new Hijackthis log and firefox as your default browser, don't forget to post the log that Ewido makes also. Thanks, then we will start killing some more stuff.
-
Hello again! i hope i did everything correctly
I ran ewido, and hijack this again. i also downloaded Adaware, CW shredder, about:buster ,etc...
I also looked for network security services, (RPC) helper, and workstation net logon service, according to the instructions, but didnt see them listed.
here is my ewido log, and a new hijack this log.
Thanks!
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 11:18:11 PM, 1/3/2006
+ Report-Checksum: 3AD2A19
+ Scan result:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{850CD0B8-DA33-4558-A8C8-95D7908E37A7} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ins taller\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\xt5u8h6f.default\coo kies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@ehg-comcast.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@ehg-foxsports.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temp\1.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temp\3.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temp\4.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temp\5.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temp\676.tmp.exe -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temporary Internet Files\Content.IE5\KTE3CDUZ\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7641B5E7-A2B5-40F1-AC74-14117D\AF2E5880-293A-4DE5-9280-71F4B5 -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL -> Spyware.MyWay : Cleaned with backup
C:\WINDOWS\croh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\croy.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\WINDOWS\extract.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\ieaw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipfl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipfm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iPlayer.INI:mdtie -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mfcet.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msbbi.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\sdkfy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkgl32.dll -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdkwb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addhd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appuo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlcj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crqh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieti.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\Mx0n11n3.dll -> Downloader.Rameh.a : Cleaned with backup
C:\WINDOWS\system32\sahagent1008.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\_default.pif:kdcsa -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\_default.pif:szdyh -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:vbzwx -> Downloader.Agent.td : Cleaned with backup
D:\stuf to be sorted\kmd.exe/cd_clint.dll -> Spyware.Cydoor : Cleaned with backup
D:\stuf to be sorted\kmd.exe/cd_htm.dll -> Spyware.Cydoor : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 11:26:07 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\2.03\mouse32a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Class - {DE169790-8483-BF6B-344F-D83EAEB513E2} - C:\WINDOWS\sdkgl32.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FLMMEMOREX203] C:\Program Files\Browser Mouse\2.03\mouse32a.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [675.tmp] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O4 - HKLM\..\Run: [675.tmp.exe] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potb_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/28b5cdad...p/RdxIE601.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/p...im/install.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O20 - Winlogon Notify: geeda - geeda.dll (file missing)
O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
-
Maybe I am missing it but did you download firefox?
Did you make it your default browser?
I see Yahoo browser but not firefox.
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
-
Hey Neal, yes i did make firefox my default browser. do i need to erase/uninstall internet explorer?
Thanks
Mark
-
No, that is fine, normally firefox will show in hijackthis. Let's procede.
Go here to learn how to show hidden files/folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5
Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat
Print this out below or make a new text document on your desktop as you will not have internet access thru the fix
Disconnect from the internet--pull the plug or fix will fail
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Run HijackThis
Click on scan and put a check on the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {DE169790-8483-BF6B-344F-D83EAEB513E2} - C:\WINDOWS\sdkgl32.dll (file missing)
O4 - HKLM\..\Run: [675.tmp] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O4 - HKLM\..\Run: [675.tmp.exe] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/28b5cda...ip/RdxIE601.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/...lim/install.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O20 - Winlogon Notify: geeda - geeda.dll (file missing)
O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll (file missing)
Make sure all browser and all Windows Explorer windows are closed and click on fix checked.
Shut down all running programs, make sure that you are not connected to the internet!
Double-click the FxAgentB.exe file to start the removal tool.
Save the log it makes and post it in your next reply.
Please do NOT start any other applications until the removal tool exits and the computer is restarted.
Restart the computer back into safe mode.
Now run AboutBuster as many times as it takes to not find anything.
Now run CWShredder and click on fix
Hunt for and delete these files/folders:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe < file
C:\WINDOWS\system32\geedc.dll < file
Run Adaware and perform a full system scan.
Still in safe mode
Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter at the prompts.
Then:
Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter
Reboot
Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start
Post a new HJT log for further review
Last edited by Neal; 05-01-2006 at 04:06 AM.
-
sorry for the delay.
when i ran FXAgentB.exe, it said 'BackdoorAgent B has not been found on your computer' and there was no log file(?)
also, after running CW shredder, i looked for but could not find these files:
C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe < file
C:\WINDOWS\system32\geedc.dll < file
other than that, everything seemed to go smoothly.
here is an updated Hijack this file
Logfile of HijackThis v1.99.1
Scan saved at 11:49:48 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\2.03\mouse32a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FLMMEMOREX203] C:\Program Files\Browser Mouse\2.03\mouse32a.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potb_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
Thanks!
Mark
-
Beautiful, I love doing this stuff. Excellent job you done there. Coolwebsearch infection is gone.
Let's do a couple online scans now and see what comes up from those. Both of the online scanners will make logs of what is found(if anything), post those logs back for me to look at please. Thanks. Again nice job.
Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/products/activescan.htm
Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html
-
Hello
I ran BitDefender, and it seems to show i still have some infected files.
here is the report and the log,
thanks again!
Mark
BitDefender Online Scanner - Real Time Virus Report
Generated at: Fri, Jan 06, 2006 - 15:29:5
Scan Info
Scanned Files
603765
Infected Files
25
Virus Detected
Application.Adware.SpySheriff
6
GenPack:Trojan.Agent.BI
8
Adware.Wheaterbug.A
1
Trojan.Ebates.A
1
GenPack:Trojan.Downloader.Agent.TD
9
BitDefender Online Scanner
Scan report generated at: Fri, Jan 06, 2006 - 15:12:07
Scan path: A:\;C:\;D:\;E:\;F:\;
Statistics
Time
01:38:52
Files
598740
Folders
5021
Boot Sectors
3
Archives
30229
Packed Files
40656
Results
Identified Viruses
5
Infected Files
25
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
25
Engines Info
Virus Definitions
250845
Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins
13
Archive plugins
39
Unpack plugins
4
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\Program Files\AIM95\aim95.exe=>wise0037=>wise0008
Detected with: Adware.Wheaterbug.A
C:\Program Files\AIM95\aim95.exe=>wise0037=>wise0008
Disinfection failed
C:\Program Files\AIM95\aim95.exe=>wise0037=>wise0008
Deleted
C:\Program Files\AIM95\aim95.exe=>wise0037
Update failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006521.pif=>:kdcsa:$DATA
Infected with: GenPack:Trojan.Downloader.Agent.TD
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006521.pif=>:kdcsa:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006521.pif=>:kdcsa:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006521.pif
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006522.ini=>:ifpgut:$DATA
Infected with: GenPack:Trojan.Agent.BI
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006522.ini=>:ifpgut:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006522.ini=>:ifpgut:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006522.ini
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007521.pif=>:kdcsa:$DATA
Infected with: GenPack:Trojan.Downloader.Agent.TD
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007521.pif=>:kdcsa:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007521.pif=>:kdcsa:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007521.pif
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007522.ini=>:ifpgut:$DATA
Infected with: GenPack:Trojan.Agent.BI
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007522.ini=>:ifpgut:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007522.ini=>:ifpgut:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007522.ini
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007528.dll
Detected with: Application.Adware.SpySheriff
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007528.dll
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007528.dll
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007529.dll
Detected with: Application.Adware.SpySheriff
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007529.dll
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007529.dll
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007530.dll
Detected with: Application.Adware.SpySheriff
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007530.dll
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007530.dll
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007531.dll
Detected with: Application.Adware.SpySheriff
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007531.dll
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007531.dll
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007533.dll
Detected with: Application.Adware.SpySheriff
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007533.dll
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007533.dll
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007535.exe
Detected with: Application.Adware.SpySheriff
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007535.exe
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007535.exe
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007543.pif=>:kdcsa:$DATA
Infected with: GenPack:Trojan.Downloader.Agent.TD
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007543.pif=>:kdcsa:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007543.pif=>:kdcsa:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007543.pif
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007547.ini=>:ifpgut:$DATA
Infected with: GenPack:Trojan.Agent.BI
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007547.ini=>:ifpgut:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007547.ini=>:ifpgut:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007547.ini
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007691.ini=>:ifpgut:$DATA
Infected with: GenPack:Trojan.Agent.BI
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007691.ini=>:ifpgut:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007691.ini=>:ifpgut:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007691.ini
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007693.pif=>:vbzwx:$DATA
Infected with: GenPack:Trojan.Downloader.Agent.TD
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007693.pif=>:vbzwx:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007693.pif=>:vbzwx:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007693.pif
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007743.pif=>:vbzwx:$DATA
Infected with: GenPack:Trojan.Downloader.Agent.TD
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007743.pif=>:vbzwx:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007743.pif=>:vbzwx:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007743.pif
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007750.ini=>:ifpgut:$DATA
Infected with: GenPack:Trojan.Agent.BI
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007750.ini=>:ifpgut:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007750.ini=>:ifpgut:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007750.ini
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007768.pif=>:vbzwx:$DATA
Infected with: GenPack:Trojan.Downloader.Agent.TD
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007768.pif=>:vbzwx:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007768.pif=>:vbzwx:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007768.pif
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007770.ini=>:ifpgut:$DATA
Infected with: GenPack:Trojan.Agent.BI
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007770.ini=>:ifpgut:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007770.ini=>:ifpgut:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007770.ini
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007789.pif=>:vbzwx:$DATA
Infected with: GenPack:Trojan.Downloader.Agent.TD
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007789.pif=>:vbzwx:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007789.pif=>:vbzwx:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007789.pif
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007795.ini=>:ifpgut:$DATA
Infected with: GenPack:Trojan.Agent.BI
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007795.ini=>:ifpgut:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007795.ini=>:ifpgut:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007795.ini
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007817.pif=>:vbzwx:$DATA
Infected with: GenPack:Trojan.Downloader.Agent.TD
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007817.pif=>:vbzwx:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007817.pif=>:vbzwx:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007817.pif
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007841.pif=>:vbzwx:$DATA
Infected with: GenPack:Trojan.Downloader.Agent.TD
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007841.pif=>:vbzwx:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007841.pif=>:vbzwx:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007841.pif
Updated
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP78\A0008932.ini=>:ifpgut:$DATA
Infected with: GenPack:Trojan.Agent.BI
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP78\A0008932.ini=>:ifpgut:$DATA
Disinfection failed
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP78\A0008932.ini=>:ifpgut:$DATA
Deleted
C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP78\A0008932.ini
Updated
D:\unzipped\bikini8bb.exe=>wise0020
Infected with: Trojan.Ebates.A
D:\unzipped\bikini8bb.exe=>wise0020
Disinfection failed
D:\unzipped\bikini8bb.exe=>wise0020
Deleted
D:\unzipped\bikini8bb.exe
Update failed
--------------------------------------
-
BD got everything it found, but it did detect spysheriff, so look in add/remove program and see if it is in there and remove if there.
You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:[list=1][*]Restart your computer[*]After hearing your computer beep once during startup, but before the Windows icon appears, press F8.[*]Instead of Windows loading as normal, a menu should appear[*]Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.
Next, run Ad-aware and perform a full scan. Remove everything found.
Restart your computer in normal mode.
Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.
