Newbie
This is the online scan using kaspersky
KASPERSKY ON-LINE SCANNER REPORT
Saturday, April 22, 2006 12:27:03 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 21/04/2006
Kaspersky Anti-Virus database records: 189336
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics
Total number of scanned objects 46988
Number of viruses found 9
Number of infected objects 32
Number of suspicious objects 0
Duration of the scan process 00:19:41
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\9GZ97EIM\srvxwp[1].exe Infected: Trojan.Win32.Dialer.oy skipped
C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\PNHRYTDQ\srvrwd[1].exe Infected: Trojan.Win32.Dialer.oy skipped
C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\PNHRYTDQ\srvzhg[1].exe Infected: Trojan.Win32.Dialer.oy skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A1B1A7C.exe Infected: Trojan.Win32.Dialer.oy skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A1E4478.exe Infected: Trojan.Win32.Dialer.oy skipped
C:\Program Files\Norton AntiVirus\Quarantine\68EE5A99.exe Infected: Trojan.Win32.Dialer.oy skipped
C:\Program Files\Norton AntiVirus\Quarantine\68F10496.exe Infected: Trojan.Win32.Dialer.oy skipped
C:\Program Files\Warcraft III\MIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Warcraft III\MIRC\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Warcraft III\MIRC\mirc616.exe mIRC: infected - 1 skipped
C:\Program Files\Warcraft III\MIRC.rar/MIRC/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Warcraft III\MIRC.rar/MIRC/mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Warcraft III\MIRC.rar/MIRC/mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Warcraft III\MIRC.rar RAR: infected - 3 skipped
C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP15\A0001351.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP15\A0001351.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP15\A0001351.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP58\A0006964.exe Infected: Trojan-Downloader.Win32.Harnig.bh skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP59\A0006983.exe Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP59\A0007063.exe Infected: Trojan.Win32.Dialer.oy skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP59\A0007065.exe Infected: Trojan.Win32.Dialer.oy skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP59\A0007068.dll Infected: Trojan-Downloader.Win32.IstBar.ff skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP59\A0007079.dll Infected: Trojan-Downloader.Win32.IstBar.ff skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP59\A0007106.exe Infected: Trojan-Downloader.Win32.Zlob.lv skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP59\A0007478.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP60\A0007553.dll Infected: Trojan-Downloader.Win32.IstBar.ff skipped
C:\WINDOWS\system32\wintfj32.dll Infected: Trojan.Win32.Agent.qt skipped
C:\WINDOWS\temp\win343D.tmp.exe Infected: Trojan.Win32.Dialer.oy skipped
C:\WINDOWS\temp\win397.tmp.exe Infected: Trojan.Win32.Dialer.oy skipped
C:\WINDOWS\temp\win3B7.tmp.exe Infected: Trojan.Win32.Dialer.oy skipped
Scan process completed.
Newbie
This is the panda scan after the kaspersky scan
Incident Status Location
Adware:Adware/PicsPlace Not disinfected C:\WINDOWS\TEMP\win397.tmp.exe
Adware:adware/emediacodec Not disinfected C:\WINDOWS\SYSTEM32\dfrgsrv.exe
Adware:adware/cws Not disinfected Windows Registry
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\__delete_on_reboot__wintfj32.d ll
Adware:Adware/PicsPlace Not disinfected C:\WINDOWS\temp\win343D.tmp.exe
Adware:Adware/PicsPlace Not disinfected C:\WINDOWS\temp\win397.tmp.exe
Adware:Adware/PicsPlace Not disinfected C:\WINDOWS\temp\win3B7.tmp.exe
Newbie
THis is the hijackthis logfile
Logfile of HijackThis v1.99.1
Scan saved at 01:08:38, on 22/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alvin\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: wintfj32 - wintfj32.dll (file missing)
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Senior Member (Canada)
Read over the following directions (and/or print out or create a file copy on your desktop). Ask if anything appears unclear to you.
Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat
1) Please download the Killbox.
Unzip it to the desktop and run it.
2) Select "Delete on Reboot".
3) Then Click the "All Files" button.
4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".C:\WINDOWS\SYSTEM32\dfrgsrv.exe
C:\WINDOWS\winres.dll
C:\Documents and Settings\Alvin\Cookies\alvin@statse.webtrendslive[1].txt
C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\9GZ97EIM\srvlbin5[1].exe
C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\K1U3S96B\wizp32[1].exe
C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\NIYZXSZ3\mulbin1[1].exe
C:\WINDOWS\system32\wintfj32.dll
C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\9GZ97EIM\srvxwp[1].exe
C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\PNHRYTDQ\srvrwd[1].exe
C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\PNHRYTDQ\srvzhg[1].exe
C:\WINDOWS\system32\wintfj32.dll
C:\WINDOWS\temp\win343D.tmp.exe
C:\WINDOWS\temp\win397.tmp.exe
C:\WINDOWS\temp\win3B7.tmp.exe
6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" to reboot next. REBOOT into SAFE MODE.
SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).
Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):
Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:Click OK or Enter
- Temporary Internet Files
- Downloaded Program Files
- Recycle Bin
- Temporary Files
For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.
Locate and delete any FOLDERS named:
CONTENT.IE5 (note: IE will create BLANK replacement copies of these FOLDERS)
Also note that Kaspersky has found riskware (IRC) and infected restore points which could become an issue under certain very limited circumstances. WE will address and consider those separately.
Please REBOOT and provide fresh copies of:
EWIDO
PANDA
HijackThis log
Last edited by VopThis; 21-04-2006 at 06:14 PM. Reason: typo
Newbie
I think i know what went wrong.
O20 - Winlogon Notify: wintfj32 - wintfj32.dll (file missing)
Previously the file could not be deleted so I kept fixing it. but after the 2nd last post which ended with system restore, the file is no longer there.
At the moment the win.tmp files are not created for about 1 hour running at time of my last post and no new ones are created at startup at time of this post (4-8 win.tmp files are usually created at startup).
I'm going to monitor further to see if they come back and not run the instructions in your last post first.
Plz advise. Thank You
Last edited by piggylord; 22-04-2006 at 01:03 AM.
Senior Member (Canada)
The files listed for fixing are malware infection duely identified by Panda and Kaspersky - and accordingly should be fixed, irregardless.I'm going to monitor further to see if they come back and not run the instructions in your last post first.
Delete the following line in HijackThis, as well:
O20 - Winlogon Notify: wintfj32 - wintfj32.dll (file missing)
