PDA

View Full Version : Trojan Horse Downloader.Generic3.QAA



hulluk
2007-02-19, 17:39
Hello,
My wife recently opened a bogus ecard on valentines day... The first problem was that firefox stopped working and other programs had errors. We ran a virus scanner and noticed it was infected with Downloader.generic3.QAA. AVG 7.5 seems to not be able to get rid. As I work, I keep getting pop ups from AVG with different versions of generic3. I've ran the panda and spybot scans and hope you may be able to help. Here they are:


HIJACK THIS:
Logfile of HijackThis v1.99.1
Scan saved at 15:27:15, on 19/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\PROGRA~1\NETGEAR\MEDIAS~1\ImmsService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\cahoot webcard\CahootWebcard.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\NETGEAR\Media Server\MediaServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NETGEAR\Media Server\RestartApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\AntiSpyWare\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.karoo.co.uk/searchpage.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O1 - Hosts: x.X.X.X email
O2 - BHO: (no name) - s - (no file)
O2 - BHO: (no name) - SlimBho2.dll' - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: OrbiscomROTBho2 Class - {D81AB57B-7327-4347-B7C7-9EF7CA87CE09} - C:\WINDOWS\System32\SlimBho2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: UK_Radio toolbar - {734412b0-5dd6-42be-8287-28889a9ae49e} - C:\Program Files\UK_Radio\tbUK_1.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [CahootWebcard] C:\Program Files\cahoot webcard\CahootWebcard.exe /dontopenmycards
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [Eraser] C:\PROGRA~1\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: NETGEAR Media Server.lnk = C:\Program Files\NETGEAR\Media Server\MediaServer.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk
O15 - Trusted IP range: http://62.189.49.123
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B0E9721-A8F1-4233-8785-39D070316141} - http://www.cyclopsuk.co.uk/install.cab
O16 - DPF: {A72B8CD1-7B63-4B08-8B40-F4B81DD0A7E7} (MTWebClient Class) - https://transfer.southerngraphicsystems.com/DOWNLOADS/WEBCLIENT.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mcg-graphics.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup141.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{734B9ACB-26CA-481A-A8D7-05A709C09DFE}: NameServer = 192.168.1.254
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Integrated Multimedia Server - Unknown owner - C:\PROGRA~1\NETGEAR\MEDIAS~1\ImmsService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

hulluk
2007-02-19, 17:40
Next Part:

_____________________________________________

PANDA ONLINE


Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\kaz\Application Data\Mozilla\Firefox\Profiles\kam0juft.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\kaz\Cookies\kaz@atdmt[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\kaz\Cookies\kaz@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\kaz\Cookies\kaz@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\kaz\Cookies\kaz@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\kaz\Cookies\kaz@hg1.hitbox[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\kaz\Cookies\kaz@hitbox[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\kaz\Cookies\kaz@questionmarket[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\kaz\Cookies\kaz@tribalfusion[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\kaz\Cookies\kaz@valueclick[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\kaz\Cookies\kaz@www3.addfreestats[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.maxserving.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.qksrv.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.qksrv.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.burstnet.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.atdmt.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.bfast.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.adtech.de/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.adrevolver.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.adviva.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.zedo.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.anm.co.uk/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.spylog.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[statse.webtrendslive.com/S144691]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.statcounter.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[server.iad.liveperson.net/hc/90100850]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.gostats.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.xiti.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.tradedoubler.com/]

hulluk
2007-02-19, 17:41
THIRD PART

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.hitbox.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.overture.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.realmedia.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.apmebf.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.fastclick.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.hg1.hitbox.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\petern\Application Data\Mozilla\Firefox\Profiles\xajbhugu.Default User\cookies.txt[.com.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\petern\Cookies\petern@adrevolver[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\petern\Cookies\petern@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\petern\Cookies\petern@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\petern\Cookies\petern@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\petern\Cookies\petern@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\petern\Cookies\petern@bs.serving-sys[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\petern\Cookies\petern@doubleclick[1].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\petern\Cookies\petern@linksynergy[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\petern\Cookies\petern@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\petern\Cookies\petern@overture[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\petern\Cookies\petern@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\petern\Cookies\petern@serving-sys[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\petern\Cookies\petern@statse.webtrendslive[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\petern\Cookies\petern@tribalfusion[1].txt
Virus:Trj/Agent.EEX Disinfected C:\Documents and Settings\petern\Local Settings\Temporary Internet Files\Content.IE5\D90LMSUQ\aup[1].exe
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\petern\Local Settings\Temporary Internet Files\Content.IE5\LIZ3F0FT\channels_02[1].gif
Hacktool:Hacktool/Dialupass.D Not disinfected C:\Installers\Dial Up Password for Dad\dialupass2.zip[dialupass.exe]
Hacktool:HackTool Program.VA Not disinfected C:\Program Files\Copy of PocoMail3\Mail\keep me!.mbx[adult_check_gold_key_generator.zip][Adult Check Gold Key Generator/wwwhack.exe]
Hacktool:HackTool Program.VA Not disinfected C:\Program Files\Copy of PocoMail3\Mail\keep me!.~mbx[adult_check_gold_key_generator.zip][Adult Check Gold Key Generator/wwwhack.exe]
Hacktool:Exploit/iFrame Not disinfected C:\Program Files\Copy of PocoMail3\Mail\Spam.~mbx[~0000173.~]
Virus:Trj/Citifraud.A Disinfected C:\Program Files\Copy of PocoMail3\Mail\Spam.~mbx[~0000435.~]
Virus:Trj/Citifraud.A Disinfected C:\Program Files\Copy of PocoMail3\Mail\Spam.~mbx[~0000437.~]
Hacktool:Exploit/iFrame Not disinfected C:\Program Files\Copy of PocoMail3\Mail\Trash.mbx[~0000243.~]
Virus:Trj/Citifraud.A Disinfected C:\Program Files\Copy of PocoMail3\Mail\Trash.mbx[~0000353.~]
Virus:Trj/Citifraud.A Disinfected C:\Program Files\Copy of PocoMail3\Mail\Trash.mbx[~0000355.~]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Internet Explorer\msimg32.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar[contents.rdf]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar[menu.xul]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar[toolbarembed.html]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.manifest
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3BROVLY.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL

hulluk
2007-02-19, 17:41
4th PART

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3SHLLVW.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR[contents.rdf]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR[menu.xul]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR[toolbarembed.html]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\M3HTML.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\M3IDLE.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\M3MSG.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\M3SKIN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
Virus:Trj/Agent.EEX Disinfected C:\WINDOWS\aup.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINDOWS\system32\f3PSSavr.scr
Virus:Trj/Cimuz.DD Disinfected C:\WINDOWS\system32\ws25.exe
Thanks
Steve

pskelley
2007-02-24, 13:21
Welcome to the forum, have you resolved your issues? If you still need help please do this for starters.

1) Tell me if you know this item: O3 - Toolbar: UK_Radio toolbar - {734412b0-5dd6-42be-8287-28889a9ae49e} - C:\Program Files\UK_Radio\tbUK_1.dll

2) You are storing a load of junk, especially cookies. Use this information and delete what you don't need.
* Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

3) Follow the instructions in this link, make sure you delete or at least quarantine anything located and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
Make sure to follow the instructions in the numbered order so all of those cookies will not have to be cleaned during the scan. Restart the computer and post the scan results, a new HJT log and any comments you think will help. Describe any problems at that point, especially error messages "word for word".

Thanks

tashi
2007-03-02, 08:46
This topic has been closed to prevent others with similar issues posting in it.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.