HiJackThis LOG HELP Please!! (RESOLVED)

short_stop4 · #1 (**permalink**) 06-05-2006, 11:55 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:53:28 PM, on 5/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Common Files\AOL\1145054098\ee\AOLSoftware.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://valdosta.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145054098\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tec...sa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...sa/SymAData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I AM GETTING AN "Explorer User Prompt Script Prompt" WHEN I LOG ON TO MY FAVORITE SITE. ITS BOARDS.ATLANTAFALCONS.COM. ANY HELP IS APPRECIATED.

short_stop4 · #2 (**permalink**) 07-05-2006, 08:03 PM

Its also keeping me from logging in on many different websites for some reason. The virus/trojan is killin me..

VopThis · #3 (**permalink**) 07-05-2006, 08:53 PM

Is there anything that is different on your system recently? Did you change any settings in AOL recently?

Please provide several examples of URLS that you cannot browse to. What specific error messages are you getting, if any? Is the result always the same?

Please download, install, update and scan your system with the free (trial) version of Ewido TROJAN scanner
[Developed for Windows 2000 and XP]:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.

Quote:

Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days. We are not installing the guard because it might interfere with the cleanup or the malware removal process. You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan. If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

REBOOT.

Please do an online scan (scan only tool) with Kaspersky WebScanner

[Internet Explorer required]
Go to Kaspersky website: www.kaspersky.com/virusscanner and click on the Kaspersky Online Scanner BUTTON/BOX.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

short_stop4 · #4 (**permalink**) 07-05-2006, 10:34 PM

The web site that I got the virus from is the message boards from AtlantaFalcons.com. The web address is boards.atlantafalcons.com. Somehow they got a virus on the boards, and sometimes when I get on the boards, something pops up that says, "Explorer User Prompt." It also says in the box, "Script Prompt." This thing pops up in top left corner of my computer like a login/password screen, with alien jargon on it. First, something downloads from the message boards and opens a file in photoviewer called "xpladv428." It just says file not found or something in photo viewer. I dont know what to do about it, but it seems to have infected my computer where it automatically times me out of logins to yahoo.com, and my school web site for email and academic inquiries. In my school page, it says my session has timed out right when i log in, and on yahoo, it constantly reloads the login page when I try to login. I can login 50 times, and it keeps on the same cycle. I wanna see what you guys think before I take it to a dang tech shop.. Thanks guys..

DW

There were 77 infected files in the following report..

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:27:38 PM, 5/7/2006
+ Report-Checksum: 819BD48

+ Scan result:

C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@bfast[1].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@cartoonnetwork.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@cbs.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ehg-bizjournals.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ehg-cbsradio.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ehg-corusentertainment.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ehg-espn.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ehg-findlaw.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ehg-ignitemedia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ehg-knightridder.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ehg-pizzahut.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@ehg-viacom.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@sec1.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@sel.as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@stpetersburgtimes.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@stubhub.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@ehg-espn.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temp\Cookies\daniel woodson@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temporary Internet Files\Content.IE5\90FY7Z5Z\xpladv428[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Local Settings\Temporary Internet Files\Content.IE5\HK58BQXM\bag[1].htm -> Not-A-Virus.Exploit.JS.CVE20051790.j : Cleaned with backup
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup

::Report End

VopThis · #5 (**permalink**) 07-05-2006, 11:32 PM

By continuing to go to the boards.atlantafalcons.com site this is (part of?) the contaminated content that is and may continue to be transmitted to your PC:

C:\Documents and Settings\Daniel Woodson\Local Settings\Temporary Internet Files\Content.IE5\90FY7Z5Z\xpladv428[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:

Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files

Click OK or Enter

You should also run the Kaspersky scan that was requested in my last post.

short_stop4 · #6 (**permalink**) 08-05-2006, 01:03 AM

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, May 07, 2006 8:02:52 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 8/05/2006
Kaspersky Anti-Virus database records: 192315
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 46642
Number of viruses found: 10
Number of infected objects: 34
Number of suspicious objects: 1
Duration of the scan process: 00:49:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Daniel Woodson\My Documents\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\Daniel Woodson\My Documents\mirc616.exe mIRC: infected - 1 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Norton AntiVirus\Quarantine\02A712F2 Infected: Trojan-Downloader.JS.IstBar.m skipped
C:\Program Files\Norton AntiVirus\Quarantine\20B37C5B Infected: not-a-virus:AdWare.Win32.WinAD.aw skipped
C:\Program Files\Norton AntiVirus\Quarantine\20B72658 Infected: not-a-virus:AdWare.Win32.WinAD.aw skipped
C:\Program Files\Norton AntiVirus\Quarantine\2FF7487B/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\2FF7487B/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\2FF7487B/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\2FF7487B ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\2FF7487B CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3F89234E Infected: Trojan-Downloader.JS.IstBar.m skipped
C:\Program Files\Norton AntiVirus\Quarantine\4E930306.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\4E930306.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\4E930306.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\4E930306.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\4E930306.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\658802CB.zip/Counter.class Infected: Trojan.Java.Femad skipped
C:\Program Files\Norton AntiVirus\Quarantine\658802CB.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped
C:\Program Files\Norton AntiVirus\Quarantine\658802CB.zip/web.exe Infected: Trojan.Win32.LowZones.cp skipped
C:\Program Files\Norton AntiVirus\Quarantine\658802CB.zip/Worker.class Infected: Trojan.Java.Femad skipped
C:\Program Files\Norton AntiVirus\Quarantine\658802CB.zip/Xeyond.class Infected: Trojan.Java.Femad skipped
C:\Program Files\Norton AntiVirus\Quarantine\658802CB.zip ZIP: infected - 5 skipped
C:\Program Files\Norton AntiVirus\Quarantine\658802CB.zip CryptFF: infected - 5 skipped
C:\Program Files\Norton AntiVirus\Quarantine\6BBB3582.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\6CA93407 Infected: Trojan.Java.ClassLoader.ak skipped
C:\Program Files\Norton AntiVirus\Quarantine\73703789 Infected: Trojan-Downloader.JS.IstBar.m skipped
C:\Program Files\Norton AntiVirus\Quarantine\75931775 Infected: Trojan-Downloader.JS.IstBar.m skipped
C:\Program Files\Norton AntiVirus\Quarantine\7625709B.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\7625709B.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\7625709B.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\7625709B.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\7625709B.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\7A9C6443 Infected: Trojan-Downloader.Java.OpenConnection.ah skipped
C:\Program Files\Norton AntiVirus\Quarantine\7FF4600F Infected: Trojan.Java.ClassLoader.ak skipped

Scan process completed.

VopThis · #7 (**permalink**) 08-05-2006, 02:41 AM

KASPERSKY shows the following issues:

Most items are in NAV quarantine - clean that area out periodically.
MIRC is riskware - because it can create serious risk dending upon how it is used.
Many infections appear to be Java Based infections.

You need to empty the cache in your Java Plugins control panel or remove the jar cache:

From the Start button, click Settings > Control Panel
(Note: It may be necessary to select the “Switch to Classic View’ option.)

In the Control Panel, open the "Java Plug-in Control Panel"
Select the Cache Tab
Click the Clear button inside the Cache Tab, which will clear your JRE cache directory

Or

Start > Settings > Control panel > Java Plugin [version number] > Choose Cache and click remove JAR Cache.

Update your Java.

Older versions have vulnerabilities that malware can and are using to infect systems.

Please follow these steps to remove older version Java components.

Close any programs you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Download the latest version of Java Runtime Environment, and install it to your computer.

Verify that Ewido now runs clean.

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

short_stop4 · #8 (**permalink**) 08-05-2006, 03:19 AM

Hey, alright I uninstalled my Java and then Installed the newest Java software from the site you gave me. Now, when I am clearing the Cache.. I am trying to make sure I do it right. Under the Java control panel, there are five tabs: General, Update, Java, Security, and Advanced. Under General, I hit (Under Temp Internet Files) the Delet Files, and I deleted all of them. Then I went to Settings, and hit delete files again. When I hit VIEW APPLETS, it went to a "cache viewer" and it was empty. Is that how its done?

I am re-running ewido right now, and I hope it takes care of this Java trojan/virus mess. I tryed blocking the site that the bad file is downloaded from "traffbest.biz" but somehow its still leaking through. Ill try it again after I run ewido, and see if its still there. Thanks for all the help BTW..

short_stop4 · #9 (**permalink**) 08-05-2006, 03:47 AM

2nd Ewido Scan..

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:46:34 PM, 5/7/2006
+ Report-Checksum: 9F249EAA

+ Scan result:

C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Daniel Woodson\Cookies\daniel woodson@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup

::Report End

short_stop4 · #10 (**permalink**) 08-05-2006, 03:50 AM

Am I good now? I think my computer was disallowing sign-ins because I increased internet security. It was blocking the cookies needed for a login. Other than that.. it looks as if I am okay now right?