Trojan.Adclicker detected by Nortons when running Microsoft AntiSpyware (RESOLVED)

**BeHunie** · 08-01-2006

Okay, here is the latest BlackLight log:

01/08/06 13:29:34 [Info]: BlackLight Engine 1.0.30 initialized
01/08/06 13:29:34 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/08/06 13:29:34 [Note]: 7019 4
01/08/06 13:29:34 [Note]: 7005 0
01/08/06 13:29:37 [Note]: 7006 0
01/08/06 13:29:37 [Note]: 7011 508
01/08/06 13:29:37 [Note]: FSRAW library version 1.7.1014
01/08/06 13:29:42 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE
01/08/06 13:29:43 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\CSHQX.EXE
01/08/06 13:29:43 [Note]: 7002 32
01/08/06 13:29:43 [Note]: 7003 1
01/08/06 13:29:43 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DMHXF.EXE
01/08/06 13:29:43 [Note]: 7002 32
01/08/06 13:29:43 [Note]: 7003 1
01/08/06 13:29:43 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\IDEMLO~1.REN
01/08/06 13:29:44 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\EALTEST.EXE
01/08/06 13:29:44 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
01/08/06 13:29:45 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FAVSET~1.REN
01/08/06 13:30:25 [Note]: 7007 0

**BeHunie** · 08-01-2006

Additional note: I just ran through another Microsoft AntiSpyware program while Norton AntiVirus was active and received the following alerts:
C:\Windows\System32\idemlog.exe.ren infected with Trojan.AdClicker
C:\Windows\System32\howiper.exe.ren infected with Trojan Horse

How can I get these files visible so I can delete them?
BeHunie

**VopThis** · 08-01-2006

Making good progress here.

Re-run the Ewido scan in SAFE MODE and post the log that it makes available.

REBOOT.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Post the latest Blacklight log and current HJT log.

**BeHunie** · 09-01-2006

Okay, here are all the logs....

EWIDO in Safe Mode Log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:26:36 PM, 1/8/2006
+ Report-Checksum: 3A2FC006

+ Scan result:

[192] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning
[216] VM_00BF0000 -> Downloader.Agent.uj : Error during cleaning
[780] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning

::Report End

************************************************** ****************
Kaspersky WebScanner Log:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, January 08, 2006 19

54
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 9/01/2006
Kaspersky Anti-Virus database records: 170004
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 116037
Number of viruses found: 4
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 3676 sec

Infected Object Name - Virus Name
C:\WINDOWS\bundles\setup_silent_14725.exe/data0001 Infected: not-a-virus:AdWare.Win32.MDH.a
C:\WINDOWS\bundles\setup_silent_14725.exe Infected: not-a-virus:AdWare.Win32.MDH.a
C:\Documents and Settings\Chris\Application Data\tizupd.bin/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.w
C:\Documents and Settings\Chris\Application Data\tizupd.bin Infected: not-a-virus:AdWare.Win32.PurityScan.w
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\Support\WinVNC 4.0\WinVNC_4.0.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\Support\WinVNC 4.0\WinVNC_4.0.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\Support\WinVNC 4.0\WinVNC_4.0.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\Support\WinVNC 4.0\WinVNC_4.0.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\Sierra\Counter-Strike\downloads\cs1005.exe/WISE0024.BIN Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\Sierra\Counter-Strike\downloads\cs1005.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\Sierra\Counter-Strike\hltv.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv

Scan process completed.
************************************************** ********************

F-Secure BlackLight Log 01-08-2006 @ 8:39pm:
01/08/06 20:39:32 [Info]: BlackLight Engine 1.0.30 initialized
01/08/06 20:39:32 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/08/06 20:39:32 [Note]: 7019 4
01/08/06 20:39:32 [Note]: 7005 0
01/08/06 20:39:36 [Note]: 7006 0
01/08/06 20:39:36 [Note]: 7011 872
01/08/06 20:39:37 [Note]: FSRAW library version 1.7.1014
01/08/06 20:39:38 [Info]: Hidden file: C:\Program Files\Hewlett-Packard\Digital Imaging\BIN\DESTTEST.EXE
01/08/06 20:39:43 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE
01/08/06 20:39:44 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DMSHY.EXE
01/08/06 20:39:44 [Note]: 7002 32
01/08/06 20:39:44 [Note]: 7003 1
01/08/06 20:39:44 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\CSASL.EXE
01/08/06 20:39:44 [Note]: 7002 32
01/08/06 20:39:44 [Note]: 7003 1
01/08/06 20:39:45 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\IDEMLO~1.REN
01/08/06 20:39:45 [Note]: 7002 5
01/08/06 20:39:45 [Note]: 7003 1
01/08/06 20:39:46 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\EALTEST.EXE
01/08/06 20:39:48 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
01/08/06 20:39:48 [Note]: 7002 5
01/08/06 20:39:48 [Note]: 7003 1
01/08/06 20:39:50 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FAVSET~1.REN
01/08/06 20:40:21 [Note]: 7007 0

************************************************** ******************

Current HJT Log 01-08-2006 @ 8:37pm:

Logfile of HijackThis v1.99.1
Scan saved at 8:36:58 PM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 2.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Support\Spyware-Virus fix tools etc\HijackThis Spyware removal tool\hijackthis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 2.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.globalcomputer.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://citrix.co.outagamie.wi.us/Ci...a32/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126834989626
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...mmapi_0727.dll
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (Triplet Control) - http://mirror.worldwinner.com/games/...et/triplet.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/...er/MotUtil.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...42/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yaho...bio5_1_1_0.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Let me know what ya think!!

**VopThis** · 09-01-2006

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

Delete the following files in SAFE MODE (Start>Search):

C:\WINDOWS\bundles\setup_silent_14725.exe
C:\Documents and Settings\Chris\Application Data\tizupd.bin

C:\WINDOWS\SYSTEM32\HOWIPER.EXE.REN
C:\WINDOWS\SYSTEM32\FAVSET.EXE.REN
C:\WINDOWS\SYSTEM32\IDEMLOG.EXE.REN

REBOOT.

Run Ewido in NORMAL MODE and post the log that it creates.

Post the latest Blacklight log, please.

**BeHunie** · 10-01-2006

Hidden files showing. Booted into safe mode.

Was able to find and delete the following:
C:\Windows\bundles\setup_silent_14725.exe
C:\Documents and Settings\Chris\Application Data\tizupd.bin

BUT the following were not there and when searching the C:\ drive did not show up:
C:\Windows\System32\howiper.exe.ren
C:\Windows\System32\favset.exe.ren
C:\Windows\System32\idemlog.exe.ren

Rebooted and ran Ewido in normal mode, here is the log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:50:58 PM, 1/9/2006
+ Report-Checksum: E70F16CA

+ Scan result:

[456] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning
[488] VM_00C60000 -> Downloader.Agent.uj : Error during cleaning
[1096] VM_003A0000 -> Downloader.Agent.uj : Error during cleaning
[1676] VM_00890000 -> Downloader.Agent.uj : Error during cleaning
[2092] VM_00890000 -> Downloader.Agent.uj : Error during cleaning
[2152] VM_00930000 -> Downloader.Agent.uj : Error during cleaning
[2184] VM_00E70000 -> Downloader.Agent.uj : Error during cleaning
[2416] VM_00AB0000 -> Downloader.Agent.uj : Error during cleaning
[2544] VM_008B0000 -> Downloader.Agent.uj : Error during cleaning
[2616] VM_00880000 -> Downloader.Agent.uj : Error during cleaning
[2628] VM_00350000 -> Downloader.Agent.uj : Error during cleaning
[2744] VM_00390000 -> Downloader.Agent.uj : Error during cleaning
[2976] VM_00860000 -> Downloader.Agent.uj : Error during cleaning
[3348] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning
C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\8BMTVGNX\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@data4.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup

::Report End

Ran BlackLight: received notifications from Nortons for the same two files (howipe~1.ren and idemlo~1.ren) with the same two viruses as always. Here is the log from blacklight:

01/09/06 19:51:35 [Info]: BlackLight Engine 1.0.30 initialized
01/09/06 19:51:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/09/06 19:51:35 [Note]: 7019 4
01/09/06 19:51:35 [Note]: 7005 0
01/09/06 19:51:40 [Note]: 7006 0
01/09/06 19:51:40 [Note]: 7011 3348
01/09/06 19:51:41 [Note]: FSRAW library version 1.7.1014
01/09/06 19:51:46 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE
01/09/06 19:51:46 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DMNKV.EXE
01/09/06 19:51:47 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\CSISX.EXE
01/09/06 19:51:47 [Note]: 7002 32
01/09/06 19:51:47 [Note]: 7003 1
01/09/06 19:51:47 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\IDEMLO~1.REN
01/09/06 19:51:47 [Note]: 7002 5
01/09/06 19:51:47 [Note]: 7003 1
01/09/06 19:51:49 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\EALTEST.EXE
01/09/06 19:51:50 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
01/09/06 19:51:50 [Note]: 7002 5
01/09/06 19:51:50 [Note]: 7003 1
01/09/06 19:51:53 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FAVSET~1.REN
01/09/06 19:54:48 [Note]: 7007 0

BeHunie

**VopThis** · 10-01-2006

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://forums.subratam.org/index.php...=post&id=43811
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch.
Exit HJT as there is nothing to currently fix.

At the end of the fix, you may need to restart your computer again.

Re-run EWIDO again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, Ewido log, along with a new HijackThis log.

**BeHunie** · 11-01-2006

Downloaded and ran the FixWareout. While running this the following message from WinPatrol showed up: WinPatrol New Program Alert: found C:\windows\system32\dmjbs.exe file that wanted to be added to the startup. I answered NO to the addition of this file. Then during the Ewido scan and the HiJackThis scan (and it continues while I am typing this post to you) WinPatrol displayed this message: WinPatrol New Program Alert: found C:\windows\system32\dmplw.exe wanting to be added to the startup. I answered NO to every one of the messages that came up. (lots of them)

Here are the logs you requested:

FixWareout:

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\sbjmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSSTP.EXE
C:\WINDOWS\SYSTEM32\DMJBS.EXE
C:\WINDOWS\SYSTEM32\IDEMLO~1.REN
C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
C:\WINDOWS\SYSTEM32\FAVSET~1.REN

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

EWIDO log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:17:25 PM, 1/10/2006
+ Report-Checksum: 2AAB8328

+ Scan result:

[1032] VM_00B40000 -> Trojan.Pakes : Error during cleaning
C:\Recycled\Dc7\mm[1].js -> Spyware.Chitika : Cleaned with backup

::Report End

HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:26:47 PM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 2.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Support\Spyware-Virus fix tools etc\HijackThis Spyware removal tool\hijackthis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 2.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.globalcomputer.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://citrix.co.outagamie.wi.us/Ci...a32/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126834989626
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...mmapi_0727.dll
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (Triplet Control) - http://mirror.worldwinner.com/games/...et/triplet.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/...er/MotUtil.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...42/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yaho...bio5_1_1_0.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

AGAIN THANK YOU FOR YOU ASSISTANCE

**BeHunie** · 11-01-2006

OOPs .... forgot these notes!!!

While running Ewido - Norton antivirus alert:
C:\windows\system32\idemlog.exe.ren infected with trojan.adclicker
c:\windows\system32\howiper.exe.ren infected with trojan horse

Before running ewido:
WinPatrol Alert:
A change has been detected in your Internet "HOSTS" files. Entries in this file can be used to redirect your browser to alternate websites. Would you like to examine this file for changes?

I clicked yes and the only entries in this file were:
127.0.0.1 local host

127.0.0.1 local host

I am really not sure if there were changes made or not.

Thanx
BeHunie

**VopThis** · 11-01-2006

Everything seemed to go fine. 'Local Host' should be one word - please check.

Please provide an updated Blacklight log.

Run fixwareout and Ewido in SAFE MODE and post the logs they create.

Trojan.Adclicker detected by Nortons when running Microsoft AntiSpyware (RESOLVED)

Re: Trojan.Adclicker detected by Nortons when running Microsoft AntiSpyware

Similar Threads

McAfee Detected Trojan

AVG Antispyware and Trojan.Maget(RESOLVED)

Trojan SwfDL.A detected by Bitdefender only (RESOLVED)

Microsoft AntiSpyware AutoUpdater

Microsoft antispyware + Ad-Aware