Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » newbie with TrojanHorse (and others?)

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

newbie with TrojanHorse (and others?)

Reply
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #1 (permalink)  
Old 03-01-2006, 04:54 PM
Newbie
D-A-L Newbie
  
Join Date: Jan 2006
Posts: 5
Mark H Is a beginner here at D-A-L
newbie with TrojanHorse (and others?)
Hello, new guy here. my friend refered me, said you helped him out alot with his problem.

AVG found trojanhorse startpage.21.BI
my internet explorer also has about.blank
i ran:
CC cleaner
spybot search and destroy -- it found CoolWWWSearch, which it couldnt erase
Pest Patrol -- found CWS.Homesearch which it couldn't clean
and then Hijack this.
here is my hijack file. any help will be appreciated!!! and i will gladly donate.
Mark

Logfile of HijackThis v1.99.1
Scan saved at 10:45:39 AM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\2.03\mouse32a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\croy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\DOCUME~1\Nicole\LOCALS~1\Temp\676.tmp.exe
C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\appuo32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Class - {DE169790-8483-BF6B-344F-D83EAEB513E2} - C:\WINDOWS\sdkgl32.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FLMMEMOREX203] C:\Program Files\Browser Mouse\2.03\mouse32a.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [croy.exe] C:\WINDOWS\croy.exe
O4 - HKLM\..\Run: [675.tmp] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O4 - HKLM\..\Run: [676.tmp] C:\DOCUME~1\Nicole\LOCALS~1\Temp\676.tmp.exe
O4 - HKLM\..\Run: [675.tmp.exe] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O4 - HKLM\..\Run: [676.tmp.exe] C:\DOCUME~1\Nicole\LOCALS~1\Temp\676.tmp.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\CA\eTrust PestPatrol\core\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potb_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/28b5cdad...p/RdxIE601.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/p...im/install.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O20 - Winlogon Notify: geeda - geeda.dll (file missing)
O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 04-01-2006, 02:37 AM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,524
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: newbie with TrojanHorse (and others?)
Welcome to DAL,

First thing let's do is run a Trojan scanner over your system and clean out as much as possible. I would like for you to run the scan from safe mode explained below:

Safe Mode-by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter then run the Ewido scan please. Saving the log for me and post it when you come back with a new hijackthis log.


Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.


5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.


Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.



Prepareing for the rest of the fix


Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:If not there then procede with rest of instructions

Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service

Please make sure it is exactly the same written as above, because there are also legit services that look very much the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.

Doubleclick on the service(s). In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

Do the same above for the other services if present

Then:

Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Network Security Service(if present) and press OK. OK any prompts, close HijackThis, and restart your computer.

Do the same for the others if present
If those services are not there, all could be or none could be there or maybe just one. If none there just skip all of the above.


If you download Firefox browser it should make this go a lot easier and quicker, be sure to make Firefox your default browser.

Firefox download page:---www.mozilla.org/products/firefox/


Download and install Adaware, uncheck "show help file" and "perform full system scan" at the end of the installing routine, perform the update and close Adaware. You will need it later/not yet.

Download and save to your Desktop, don't run it now, we will use it later:
http://securityresponse.symantec.com...r/FxAgentB.exe

Next,
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.


Download About:Buster from here:


http://majorgeeks.com/download4289.html


Unzip it to its own DESKTOP folder, right click open area on the desktop, click new, the new folder, name the folder Aboutbuster . It is VITAL that it be unzipped.

Please open/run the program and check for updates. After you update it exit.
Do not run the actual scan/fix until instructed.


OK, after you do all of that come back with a new Hijackthis log and firefox as your default browser, don't forget to post the log that Ewido makes also. Thanks, then we will start killing some more stuff.
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 04-01-2006, 05:35 AM
Newbie
D-A-L Newbie
  
Join Date: Jan 2006
Posts: 5
Mark H Is a beginner here at D-A-L
Re: newbie with TrojanHorse (and others?)
Hello again! i hope i did everything correctly

I ran ewido, and hijack this again. i also downloaded Adaware, CW shredder, about:buster ,etc...

I also looked for network security services, (RPC) helper, and workstation net logon service, according to the instructions, but didnt see them listed.

here is my ewido log, and a new hijack this log.
Thanks!

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:18:11 PM, 1/3/2006
+ Report-Checksum: 3AD2A19

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{850CD0B8-DA33-4558-A8C8-95D7908E37A7} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ins taller\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\xt5u8h6f.default\coo kies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@ehg-comcast.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@ehg-foxsports.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Nicole\Cookies\nicole@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temp\1.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temp\3.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temp\4.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temp\5.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temp\676.tmp.exe -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Nicole\Local Settings\Temporary Internet Files\Content.IE5\KTE3CDUZ\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7641B5E7-A2B5-40F1-AC74-14117D\AF2E5880-293A-4DE5-9280-71F4B5 -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL -> Spyware.MyWay : Cleaned with backup
C:\WINDOWS\croh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\croy.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\WINDOWS\extract.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\ieaw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipfl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipfm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iPlayer.INI:mdtie -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mfcet.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msbbi.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\sdkfy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkgl32.dll -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdkwb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addhd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appuo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlcj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crqh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieti.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\Mx0n11n3.dll -> Downloader.Rameh.a : Cleaned with backup
C:\WINDOWS\system32\sahagent1008.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\_default.pif:kdcsa -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\_default.pif:szdyh -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:vbzwx -> Downloader.Agent.td : Cleaned with backup
D:\stuf to be sorted\kmd.exe/cd_clint.dll -> Spyware.Cydoor : Cleaned with backup
D:\stuf to be sorted\kmd.exe/cd_htm.dll -> Spyware.Cydoor : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 11:26:07 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\2.03\mouse32a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Class - {DE169790-8483-BF6B-344F-D83EAEB513E2} - C:\WINDOWS\sdkgl32.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FLMMEMOREX203] C:\Program Files\Browser Mouse\2.03\mouse32a.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [675.tmp] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O4 - HKLM\..\Run: [675.tmp.exe] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potb_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/28b5cdad...p/RdxIE601.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/p...im/install.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O20 - Winlogon Notify: geeda - geeda.dll (file missing)
O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 04-01-2006, 06:31 AM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,524
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: newbie with TrojanHorse (and others?)
Maybe I am missing it but did you download firefox?

Did you make it your default browser?

I see Yahoo browser but not firefox.

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 05-01-2006, 02:40 AM
Newbie
D-A-L Newbie
  
Join Date: Jan 2006
Posts: 5
Mark H Is a beginner here at D-A-L
Re: newbie with TrojanHorse (and others?)
Hey Neal, yes i did make firefox my default browser. do i need to erase/uninstall internet explorer?

Thanks
Mark
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 05-01-2006, 04:02 AM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,524
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: newbie with TrojanHorse (and others?)
No, that is fine, normally firefox will show in hijackthis. Let's procede.


Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5


Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat


Print this out below or make a new text document on your desktop as you will not have internet access thru the fix


Disconnect from the internet--pull the plug or fix will fail


Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.



Run HijackThis
Click on scan and put a check on the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jqqhj.dll/sp.html#28129%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {DE169790-8483-BF6B-344F-D83EAEB513E2} - C:\WINDOWS\sdkgl32.dll (file missing)

O4 - HKLM\..\Run: [675.tmp] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe
O4 - HKLM\..\Run: [675.tmp.exe] C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/28b5cda...ip/RdxIE601.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/...lim/install.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O20 - Winlogon Notify: geeda - geeda.dll (file missing)
O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll (file missing)


Make sure all browser and all Windows Explorer windows are closed and click on fix checked.


Shut down all running programs, make sure that you are not connected to the internet!
Double-click the FxAgentB.exe file to start the removal tool.
Save the log it makes and post it in your next reply.
Please do NOT start any other applications until the removal tool exits and the computer is restarted.

Restart the computer back into safe mode.


Now run AboutBuster as many times as it takes to not find anything.

Now run CWShredder and click on fix


Hunt for and delete these files/folders:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe < file
C:\WINDOWS\system32\geedc.dll < file


Run Adaware and perform a full system scan.

Still in safe mode


Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter at the prompts.

Then:


Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

Reboot

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start


Post a new HJT log for further review
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Last edited by Neal; 05-01-2006 at 04:06 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 06-01-2006, 05:59 AM
Newbie
D-A-L Newbie
  
Join Date: Jan 2006
Posts: 5
Mark H Is a beginner here at D-A-L
Re: newbie with TrojanHorse (and others?)
sorry for the delay.

when i ran FXAgentB.exe, it said 'BackdoorAgent B has not been found on your computer' and there was no log file(?)

also, after running CW shredder, i looked for but could not find these files:
C:\DOCUME~1\Nicole\LOCALS~1\Temp\675.tmp.exe < file
C:\WINDOWS\system32\geedc.dll < file

other than that, everything seemed to go smoothly.

here is an updated Hijack this file

Logfile of HijackThis v1.99.1
Scan saved at 11:49:48 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\2.03\mouse32a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [FLMMEMOREX203] C:\Program Files\Browser Mouse\2.03\mouse32a.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potb_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe


Thanks!
Mark
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 06-01-2006, 06:27 AM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,524
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: newbie with TrojanHorse (and others?)
Beautiful, I love doing this stuff. Excellent job you done there. Coolwebsearch infection is gone.

Let's do a couple online scans now and see what comes up from those. Both of the online scanners will make logs of what is found(if anything), post those logs back for me to look at please. Thanks. Again nice job.


Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:

http://www.pandasoftware.com/products/activescan.htm


Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 06-01-2006, 09:38 PM
Newbie
D-A-L Newbie
  
Join Date: Jan 2006
Posts: 5
Mark H Is a beginner here at D-A-L
Re: newbie with TrojanHorse (and others?)
Hello

I ran BitDefender, and it seems to show i still have some infected files.

here is the report and the log,
thanks again!
Mark




BitDefender Online Scanner - Real Time Virus Report


Generated at: Fri, Jan 06, 2006 - 15:29:5


Scan Info



Scanned Files


603765

Infected Files


25




Virus Detected



Application.Adware.SpySheriff


6

GenPack:Trojan.Agent.BI


8

Adware.Wheaterbug.A


1

Trojan.Ebates.A


1

GenPack:Trojan.Downloader.Agent.TD


9
BitDefender Online Scanner






Scan report generated at: Fri, Jan 06, 2006 - 15:12:07




Scan path: A:\;C:\;D:\;E:\;F:\;




Statistics

Time


01:38:52

Files


598740

Folders


5021

Boot Sectors


3

Archives


30229

Packed Files


40656




Results

Identified Viruses


5

Infected Files


25

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


25







Engines Info

Virus Definitions


250845

Engine build


AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins


13

Archive plugins


39

Unpack plugins


4

E-mail plugins


6

System plugins


1




Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Program Files\AIM95\aim95.exe=>wise0037=>wise0008


Detected with: Adware.Wheaterbug.A

C:\Program Files\AIM95\aim95.exe=>wise0037=>wise0008


Disinfection failed

C:\Program Files\AIM95\aim95.exe=>wise0037=>wise0008


Deleted

C:\Program Files\AIM95\aim95.exe=>wise0037


Update failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006521.pif=>:kdcsa:$DATA


Infected with: GenPack:Trojan.Downloader.Agent.TD

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006521.pif=>:kdcsa:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006521.pif=>:kdcsa:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006521.pif


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006522.ini=>:ifpgut:$DATA


Infected with: GenPack:Trojan.Agent.BI

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006522.ini=>:ifpgut:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006522.ini=>:ifpgut:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0006522.ini


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007521.pif=>:kdcsa:$DATA


Infected with: GenPack:Trojan.Downloader.Agent.TD

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007521.pif=>:kdcsa:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007521.pif=>:kdcsa:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007521.pif


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007522.ini=>:ifpgut:$DATA


Infected with: GenPack:Trojan.Agent.BI

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007522.ini=>:ifpgut:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007522.ini=>:ifpgut:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007522.ini


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007528.dll


Detected with: Application.Adware.SpySheriff

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007528.dll


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007528.dll


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007529.dll


Detected with: Application.Adware.SpySheriff

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007529.dll


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007529.dll


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007530.dll


Detected with: Application.Adware.SpySheriff

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007530.dll


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007530.dll


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007531.dll


Detected with: Application.Adware.SpySheriff

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007531.dll


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007531.dll


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007533.dll


Detected with: Application.Adware.SpySheriff

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007533.dll


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007533.dll


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007535.exe


Detected with: Application.Adware.SpySheriff

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007535.exe


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007535.exe


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007543.pif=>:kdcsa:$DATA


Infected with: GenPack:Trojan.Downloader.Agent.TD

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007543.pif=>:kdcsa:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007543.pif=>:kdcsa:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007543.pif


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007547.ini=>:ifpgut:$DATA


Infected with: GenPack:Trojan.Agent.BI

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007547.ini=>:ifpgut:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007547.ini=>:ifpgut:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP76\A0007547.ini


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007691.ini=>:ifpgut:$DATA


Infected with: GenPack:Trojan.Agent.BI

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007691.ini=>:ifpgut:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007691.ini=>:ifpgut:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007691.ini


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007693.pif=>:vbzwx:$DATA


Infected with: GenPack:Trojan.Downloader.Agent.TD

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007693.pif=>:vbzwx:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007693.pif=>:vbzwx:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007693.pif


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007743.pif=>:vbzwx:$DATA


Infected with: GenPack:Trojan.Downloader.Agent.TD

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007743.pif=>:vbzwx:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007743.pif=>:vbzwx:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007743.pif


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007750.ini=>:ifpgut:$DATA


Infected with: GenPack:Trojan.Agent.BI

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007750.ini=>:ifpgut:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007750.ini=>:ifpgut:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007750.ini


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007768.pif=>:vbzwx:$DATA


Infected with: GenPack:Trojan.Downloader.Agent.TD

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007768.pif=>:vbzwx:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007768.pif=>:vbzwx:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007768.pif


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007770.ini=>:ifpgut:$DATA


Infected with: GenPack:Trojan.Agent.BI

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007770.ini=>:ifpgut:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007770.ini=>:ifpgut:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007770.ini


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007789.pif=>:vbzwx:$DATA


Infected with: GenPack:Trojan.Downloader.Agent.TD

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007789.pif=>:vbzwx:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007789.pif=>:vbzwx:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007789.pif


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007795.ini=>:ifpgut:$DATA


Infected with: GenPack:Trojan.Agent.BI

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007795.ini=>:ifpgut:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007795.ini=>:ifpgut:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007795.ini


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007817.pif=>:vbzwx:$DATA


Infected with: GenPack:Trojan.Downloader.Agent.TD

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007817.pif=>:vbzwx:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007817.pif=>:vbzwx:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007817.pif


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007841.pif=>:vbzwx:$DATA


Infected with: GenPack:Trojan.Downloader.Agent.TD

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007841.pif=>:vbzwx:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007841.pif=>:vbzwx:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP77\A0007841.pif


Updated

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP78\A0008932.ini=>:ifpgut:$DATA


Infected with: GenPack:Trojan.Agent.BI

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP78\A0008932.ini=>:ifpgut:$DATA


Disinfection failed

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP78\A0008932.ini=>:ifpgut:$DATA


Deleted

C:\System Volume Information\_restore{09F32897-FB6C-4D32-B152-B6AAF09332E0}\RP78\A0008932.ini


Updated

D:\unzipped\bikini8bb.exe=>wise0020


Infected with: Trojan.Ebates.A

D:\unzipped\bikini8bb.exe=>wise0020


Disinfection failed

D:\unzipped\bikini8bb.exe=>wise0020


Deleted

D:\unzipped\bikini8bb.exe


Update failed

--------------------------------------
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 06-01-2006, 11:16 PM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,524
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: newbie with TrojanHorse (and others?)
BD got everything it found, but it did detect spysheriff, so look in add/remove program and see if it is in there and remove if there.


You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.



If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:[list=1][*]Restart your computer[*]After hearing your computer beep once during startup, but before the Windows icon appears, press F8.[*]Instead of Windows loading as normal, a menu should appear[*]Select the first option, to run Windows in Safe Mode.


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.




Next, run Ad-aware and perform a full scan. Remove everything found.



Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
What mb to buy? newbie here tqm189 General Hardware Issues 1 01-12-2008 04:20 AM
Need some of help Newbie! offshoreman How to build or upgrade a PC 5 26-04-2007 11:01 PM
Newbie needs help with hjt 2ndcity Spyware, Adware, Viruses and HijackThis Logs 3 16-01-2007 10:41 PM
newbie window licker Chat Room 18 28-05-2005 03:41 AM
Newbie Space_Cowby Chat Room 5 19-02-2005 01:48 AM


All times are GMT +1. The time now is 06:14 AM.
Member Login
Remember me ?
Forgot password?
Ads

Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav