View Full Version : Please help! Browser hijack problem(s)
davejellyfish
2007-03-13, 23:36
My friend has a browser hijack problem - Google search results take him to shopping sites (monster marketplace). I wiped the HDD & installed this computer from scratch 6 months ago and amongst other things installed AVG free version & trial version of Webroot Spy Sweeper. He has recently installed free AVG spyware scanner. I think his problems stem from (unadvisedly) installing several 'free' registry/system 'cleaners'.
I looked at his computer last week as it was taking an age to start up, popping up alerts about missing DLLs (gmnukvf.dll for one). I installed & ran Spybot S&D for him removing any spyware found last week and manually removed UltimateDefender (UltimateCleaner?) from NTFS & registry which would not uninstall from add/remove programs (surprisingly enough). I installed latest free ZoneAlarm at same time. I then downloaded & installed BHODemon and managed to disable mswerqwd.dll. However, he's still experiencing the browser hijack so I got him to download the HijackThis app. Having looked at the scan it seems that things are still not right so could you look at it for me. If you think a keylogger is involved could you let me know ASAP as he is disabled and uses his computer for Internet banking (Thanks)
I didn't think to run an online scan at the time I was there but have asked him to do so now.
Here is the log from the scan:
Logfile of HijackThis v1.99.1
Scan saved at 12:06:54 PM, on 13/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\administrator\Local Settings\Temp\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {268c8cb6-1dd2-11b2-a6e8-efdf6e992d54} - (no file)
O2 - BHO: (no name) - {5f9f9582-1dd2-11b2-b5e2-dc2bd5af6d78} - (no file)
O2 - BHO: (no name) - {f2b5cc62-1dd1-11b2-adb8-e48c5f8e4ed0} - C:\WINNT\system32\mswerqwd.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: .protected
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: .protected
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20fd6543a85beac4b721/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160154725230
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161287936483
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371290.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi davejellyfish
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)
Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.
Post:
- a fresh HijackThis log
- fixwareout report
- smitfraudfix report
davejellyfish
2007-03-14, 15:33
Here's SmitFraudFix scan log:
SmitFraudFix v2.148
Scan done at 12:18:59.50, Wed 14/03/2007
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT
C:\WINNT\.protected FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\administrator
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\administrator\Application
Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars"
[HKEY_CLASSES_ROOT\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32]
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kddlq.exe"
kddlq.exe detected !
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
davejellyfish
2007-03-14, 15:38
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kddlq.exe"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for
further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
C:\WINNT\Temp\kddlq.ren 63486 19/06/03
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\"
/startintray"
"AtiPTA"="Atiptaxx.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch
USB\\Dragdiag.exe\" /icon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Tweak UI"="\"RUNDLL32.EXE\" TWEAKUI.CPL,TweakMeUp"
"Zone Labs Client"="\"C:\\Program Files\\Zone
Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\"
--force_start_minimized"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
davejellyfish
2007-03-14, 15:47
My friend ran SmitFraudFix scanner again instead of hijackthis after Fixwareout, but as kddlq.exe is no longer being detected I thought i'd submit it as well (edited for brevity). Getting him to re-run hijackthis + will post when I recieve it.
SmitFraudFix v2.148
Scan done at 12:54:55.45, Wed 14/03/2007
Run from C:\Documents and Settings\administrator\Desktop\SmitfraudFix
/* edited by me for brevity - same as previous on except for folowing section: Winlogon.System */
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Hi
Ok, after that I'll give you instructions how to continue :)
davejellyfish
2007-03-15, 15:07
Hi,
Sorry for the delay, here's the latest hijackthis scan log:
Logfile of HijackThis v1.99.1
Scan saved at 12:29:28 PM, on 15/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\administrator\Local Settings\Temp\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {268c8cb6-1dd2-11b2-a6e8-efdf6e992d54} - (no file)
O2 - BHO: (no name) - {5f9f9582-1dd2-11b2-b5e2-dc2bd5af6d78} - (no file)
O2 - BHO: (no name) - {f2b5cc62-1dd1-11b2-adb8-e48c5f8e4ed0} - C:\WINNT\system32\mswerqwd.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: .protected
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: .protected
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20fd6543a85beac4b721/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160154725230
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161287936483
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371290.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {268c8cb6-1dd2-11b2-a6e8-efdf6e992d54} - (no file)
O2 - BHO: (no name) - {5f9f9582-1dd2-11b2-b5e2-dc2bd5af6d78} - (no file)
O2 - BHO: (no name) - {f2b5cc62-1dd1-11b2-adb8-e48c5f8e4ed0} - C:\WINNT\system32\mswerqwd.dll (disabled by BHODemon)
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20fd6543...p/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
Close all windows including browser and press fix checked.
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Update AVG anti-spyware, don't scan yet.
______________________________
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
______________________________
Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________
Delete if present:
C:\WINNT\system32\mswerqwd.dll
Empty Recycle Bin
Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Clean out your Temporary Internet files. Proceed like this:
Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.
For Internet Explorer 7
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete... under Browsing History.
Next to Temporary Internet Files, click Delete files, and then click OK.
Next to Cookies, click Delete cookies, and then click OK.
Next to History, click Delete history, and then click OK.
Click the Close button.
Click OK.
For Internet Explorer 4.x - 6.x
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.
For Netscape 4.x and Up
Click Edit from the Netscape menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the triangle sign.
Click Cache.
Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
Click Edit from the Mozilla menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the plus sign.
Click Cache.
Click the Clear Cache button.
For Opera
Click File from the Opera menubar.
Click Preferences... from the File menu.
Click the History and Cache menu.
Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________
Re-run fixwareout
Please post:
fixwareout report
c:\rapport.txt
AVG Anti-Spyware log
A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.
davejellyfish
2007-03-19, 22:00
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ “system”=””
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL’S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“AVG7_CC”=”\”C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\” /STARTUP”
“SpySweeper”=”\”C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\” /startintray”
“AtiPTA”=”Atiptaxx.exe”
“SpeedTouch USB Diagnostics”=”\”C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\” /icon”
“QuickTime Task”=”\”C:\\Program Files\\QuickTime\\qttask.exe\” -atboottime”
“Tweak UI”=”\”RUNDLL32.EXE\” TWEAKUI.CPL,TweakMeUp”
“Zone Labs Client”=”\”C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\””
“svsnenql.exe”=”C:\\WINNT\\system32\\svsnenql.exe”
“PSC main”=”C:\\WINNT\\system32\\sttool32.exe” [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BitTorrent”=”\”C:\\Program Files\\BitTorrent\\bittorrent.exe\” --force_start_minimized”
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
davejellyfish
2007-03-19, 22:01
IN safe mode wouldn't load registry clean (even though is says registry cleaning done):
SmitFraudFix v2.150
Scan done at 14:47:34.13, Mon 19/03/2007
Run from C:\Temp\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“system”=””
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
davejellyfish
2007-03-19, 22:04
Created at: 4:02:21 PM 19/03/2007
Scan result:
C:\\WINNT\\system32\\enkgnewh\\enkgnewh2.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\\WINNT\\system32\\enkgnewh\\enkgnewh3.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\\WINNT\\system32\\fadmmhgd\\fadmmhgd1.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\\WINNT\\system32\\fadmmhgd\\fadmmhgd2.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\\WINNT\\system32\\fadmmhgd\\fadmmhgd3.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\\WINNT\\system32\\tmpwisc1.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
mozilla.35:C:\\Documents and Settings\\administrator\\Application Data\\Mozilla\\Firefox\\Profiles\\o3bye71h.default\\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\\Documents and Settings\\administrator\\Cookies\\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\\Documents and Settings\\administrator\\Cookies\\administrator@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
mozilla.43:C:\\Documents and Settings\\administrator\\Application Data\\Mozilla\\Firefox\\Profiles\\o3bye71h.default\\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
mozilla.13:C:\\Documents and Settings\\dave\\Application Data\\Mozilla\\Firefox\\Profiles\\7l26yuv5.default\\cookies.txt -> TrackingCookie.Real : Cleaned.
C:\\Documents and Settings\\administrator\\Cookies\\administrator@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\\Documents and Settings\\administrator\\Cookies\\administrator@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
Report end
davejellyfish
2007-03-19, 22:05
Logfile of HijackThis v1.99.1
Scan saved at 5:56:41 PM, on 19/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\svsnenql.exe
C:\WINNT\system32\sttool32.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\administrator\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] “C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” /STARTUP
O4 - HKLM\..\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe” /startintray
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM\..\Run: [Tweak UI] “RUNDLL32.EXE” TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM\..\Run: [svsnenql.exe] C:\WINNT\system32\svsnenql.exe
O4 - HKLM\..\Run: [PSC main] C:\WINNT\system32\sttool32.exe
O4 - HKCU\..\Run: [BitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” · force_start_minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160154725230
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161287936483
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371290.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 85.255.116.56 85.255.112.146
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
davejellyfish
2007-03-19, 22:29
Apologies for delay in running these but was away for weekend and could only get round to my friends today as he didn't feel upto doing it himself. As noted earlier, SmitFraudFix wouldn't load registry cleaner in SafeMode but did so when run again later in normal mode.
He also ran Spybot S & D after I'd left and got lots of zlob errors that it couldn't fix permanently... presumably (from hijackthi log) DNS is still hijacked?
SmitFraudFix v2.148
Scan done at 17:48:39.25, Mon 19/03/2007
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\administrator
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\administrator\Application
Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs”=””
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“system”=””
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Hi
Open HijackThis, click do a system scan only and checkmark this:
O4 - HKLM\..\Run: [svsnenql.exe] C:\WINNT\system32\svsnenql.exe
O4 - HKLM\..\Run: [PSC main] C:\WINNT\system32\sttool32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 85.255.116.56 85.255.112.146
Close all windows including browser and press fix checked.
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
Reboot
Delete these:
C:\WINNT\system32\svsnenql.exe
C:\WINNT\system32\sttool32.exe
Post a fresh HijackThis log.
davejellyfish
2007-03-20, 15:54
Hi
latest instructions implemented but looks like DNS is still hijacked
Logfile of HijackThis v1.99.1
Scan saved at 1:34:13 PM, on 20/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\administrator\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160154725230
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161287936483
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371290.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 85.255.116.56 85.255.112.146
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi
Do as instructed above but before that disconnect from internet (unplug network cable or shutdown modem)
Post a fresh HijackThis log
davejellyfish
2007-03-20, 21:34
Hi, here's latest
Logfile of HijackThis v1.99.1
Scan saved at 6:28:19 PM, on 20/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160154725230
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161287936483
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371290.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi
Now it looks better :)
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Post:
- a fresh HijackThis log
- kaspersky report
davejellyfish
2007-03-21, 17:16
Still more than a few problems, he has:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 21, 2007 2:36:56 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build
2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 21/03/2007
Kaspersky Anti-Virus database records: 283838
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 35078
Number of viruses found: 3
Number of infected objects: 32
Number of suspicious objects: 2
Duration of the scan process: 01:09:24
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\administrator\Application Data\BitTorrent\bittorrent.log Object is locked skipped
C:\Documents and Settings\administrator\Application Data\Webroot\Spy Sweeper\Logs\070319201028.ses Object is locked skipped
C:\Documents and Settings\administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01 RarSFX: infected - 2 skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01 PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0244DDD9-28A5-4224-865E-2A1950847F5B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0550D6CF-C5A1-465A-8E8B-F932F251417D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS056D23F6-268B-456B-9EE3-033C336DC2FD.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0586E959-215F-48F3-AF87-610060DF65F4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0812A478-919E-440F-9FDD-03A5A3B18A60.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS086F5565-23BC-49BB-96D7-FFDE17BC9E38.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0A1BBEC0-EC32-4556-9927-D49088E1234F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0B419829-B751-4E93-8146-A954F1BE2CEA.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0B77B793-46BB-48ED-AF83-78472342A9F5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0CDD5B2B-E68B-456A-836F-FEE2F71DF580.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0DC259CE-CA51-4609-9267-874A6A1502F6.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0E55E3D9-C058-4A69-A600-237B9A087EFF.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS115E5C3B-27A0-4859-B2C6-B57A0547D10A.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS11D00C29-9545-45EB-8A5B-4454DAC1AD59.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS13197D94-7336-446A-B10F-4E8126616D14.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS14DD848F-64DE-43BD-B19B-9FEB3E0D3C6F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS16E87CA9-CDB2-49E3-A8EE-D7251B0A9D41.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS1C7C1138-90AF-4969-9D24-3913BEC4D1E4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS1C9590F2-2746-4761-8967-590D2909E6CD.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS1F767EEE-85F6-4271-9088-ECC6A593EA6C.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS21F50AB5-1B5D-4672-8CBB-F506E126B99B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS2569E943-93B6-4B5B-8BD1-C694C58E5577.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS26CF248B-5D60-4B64-8FBC-92D2302185A4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS28B0877D-25B0-4777-B980-10D45F1E174F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS294907CA-7D59-40A7-8FEB-4742D2E0DCBB.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS2B9725E1-FC59-42EF-8620-CDEB9CBB8D43.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS2D167947-0005-4A1F-A82C-6A42D0E0253B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS2DB75BC2-C3D8-4CAA-81E2-C0340550FE94.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS305DFD22-8E42-463E-99A8-9AE97D622358.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS37FA9DFE-1F62-47DF-9720-B09B9C608A05.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS3965BB49-B3F2-4670-9697-6F57C30C1772.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS3EB78C77-3AB1-4916-8725-5DED94A5D353.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS3EECFD7A-2B8F-4A18-8FEA-C1E7CE48DD31.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS40B8342F-7597-4D2A-9F79-3ACA89BE6B55.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS4145F435-7B04-4D33-9C04-2D07FFD388AC.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS43261391-9527-40F6-BFB6-6087EAE4D1F4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS46ABEB2F-A19F-45D2-89AB-6CD9C40ED02F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS4C40AEDD-1BF5-4E5D-8E1A-EC9EC3B0D03A.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D45B53F-5095-436A-87BF-603848F83AC4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D78E5D9-1CDD-41B7-AD40-2850928A881B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS51CF12FD-1247-46E5-9CB3-119986327FE4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS52AF508D-CF9C-4B3F-BFB3-751DBAB87516.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS5308AB06-29E3-4272-8FF9-531869B5FC1E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS549E5AFA-9CDD-4B4D-8162-81E5F5572FD4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS5E48B4E6-8E61-4FEE-B977-E33649AA91D2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS5FEC20E3-34D4-412E-98E1-C0C73173AFF8.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS645500D8-8E85-4D81-81C0-EB4301154340.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS64733454-8190-46F2-A021-A9FAC05E83D4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS64B3DC05-E10C-421F-9442-C7A4F743FA9C.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS65C8EEE9-83B3-4C7E-9148-1506BD33DF0C.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS680C7574-ED31-4BF2-BFFC-18B5E55DFD6B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS697704CC-9A33-4E13-A882-3E1C27E06812.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS6A9DD0DA-977D-4984-B516-1F6DD024D481.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS6BEB79C8-ECB0-4093-B550-5201791F2820.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS6D9EB912-CA10-4A6B-AD68-37403313CCD4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS6EF7C644-531D-4BC5-B7B0-7D304B371479.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS71B86AE6-27A9-4FC9-BEF7-1581C49CD1DE.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS736C5B21-FA47-4ABD-8AB4-B3FB3867F63D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS73A17320-3EFE-4A34-B629-A2C23A346E43.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS746CFC02-A2F5-4A7E-A01C-738CB9669D2A.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS7482DD70-51BF-4A45-81B0-73E17235F1D6.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS755A5AB9-D612-4FC6-AA07-845D9AC2869B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS77CE7F0A-86B8-4EBD-BC44-EB10411280AD.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS7842CE43-5F2E-4E05-A5C2-3E4D9CA6999E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS78D5F439-0F5E-4F93-8152-49F40F90CAFF.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS7AA9850F-A1DC-4A49-B180-89846908556D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS7B5346D7-1094-41EB-8A4B-D6FEF12D4116.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy weeper\Temp\SSCS7B953EE6-B5EB-4304-BA63-4A8D4F7033CD.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS7D9A0696-61A0-4F8B-A33D-4EF45E0847EE.tmp Object is locked skipped
davejellyfish
2007-03-21, 17:18
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS7E0A6038-7196-4C37-A97F-A83976A951C9.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS82997D1D-A98A-4523-9D4F-1664228ABFA2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS8511D90F-9AAB-4901-A32D-BE9F661AD87F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS85BF0F09-4D5A-4B18-87D0-F47BB3620881.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS86A5B413-3E11-48CB-A70E-F0FAB0B774F3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS89AE7673-6F6F-4A14-BCD4-F61F945A5A70.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS8D944C86-1C5E-41C6-8858-38D3DC51E8A4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS8DD5C097-AA84-4EFD-AC12-B8C9C5ED498B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS90F73E9D-C26B-4E95-B378-D4BFAACA43DA.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS9167E977-20A4-4520-9F36-64A4E87F6D32.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS917C545A-7612-4D57-A8E6-C2BCDBD4D1A0.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS930D2139-FA5C-4D0A-9F0A-7CAA56A409D8.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS98D2418C-A0BE-4C1A-BC66-980A269F0BEA.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS9A4F33D1-E292-4D2D-AC5B-A6EFCAC4546F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS9B7CDD70-5E82-4822-B2C6-8FB58581CDA9.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS9B8A0C7D-EE17-4B89-AFD4-880DDEC1C7DB.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS9C887BF5-14A6-4E66-B8DC-0154A7A2AB16.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS9D982E10-6209-4623-A51D-3E5E7C859E10.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSA04F4728-8675-424A-B341-5C15461EF5F2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSA4EFAD4C-2C58-4B94-B122-9429C1D97EC7.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSA79F741A-B786-4206-A268-1EF476FA8357.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSA8D2982E-8B8F-4E30-887E-A170EEA6BE0F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSAB21C9CE-5074-42BC-87AA-551117241866.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSACAF579C-A796-460F-88E0-9A0937556EC1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSADDA15AB-CEAF-47C5-BBEF-5246AB241B85.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB4C71E50-1563-4273-9D2F-54C9D628E8EE.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB4F78DDA-3CEA-4E44-8D2C-7AE94B07B30C.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB5E2C808-CCB3-4F32-96E9-1E4C12C34E8F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB69F67B5-1398-430A-859B-0B555BB75217.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB8713CA7-89F3-466B-8A88-AA2FA3015126.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBA19B770-F01B-421F-A21E-E0D77F265E89.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBB8380DC-C47B-4099-A651-3337D858D847.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBB940153-F7FB-4C55-9CD8-B391DAC6C56A.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBC8468A0-C27A-48A6-92E5-DC3EFE9350D0.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBD1F73C0-450E-44E8-94B5-BE16117505D3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBD8A6827-4A20-40D9-A0B8-A87E39452686.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBD8C7081-06BD-487F-A1A8-9C1D8B3B9F29.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBE06AF60-0623-42DB-B7C3-069CF1A358DB.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBF9E9B96-AFEC-4800-B2CD-9203339F82A7.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC02D8D55-667E-4210-8F64-F6BA3749B07D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC0AB169E-A56B-453D-9B6E-AF256F858B12.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC1A30F48-F408-4852-A8FE-96CADC1450B6.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC3C40931-14A5-40D0-A9C3-BA57F4807CCD.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC43D9CBE-C651-40CF-8734-C3721D27256A.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC44307D9-1F12-48F4-B58A-F0E3C95F45D7.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC57C3721-F837-4959-86DA-80BC7CBD32C0.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC580B406-9DF0-49BE-8E61-C564FE347ADA.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC917E2BC-EA22-4897-841D-99E96D71B9F4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSCEA52FB9-D2A2-4D65-A665-597F030FD683.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSCEB36EBD-D701-4A9B-90C0-180D6E8F15E8.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSD3ADBEF5-C025-418D-A993-FC35188BCC62.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSD6719491-5C14-48EA-AD3E-6EA2FE1999C4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSD7BB08E6-6397-46CA-99EB-F6BCC896AABF.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSD9990B4C-CFC1-4894-BC1E-683DD1D0BB14.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSDC2608C6-B1F2-4917-840F-0775BEC95543.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSDC4732C4-6255-4260-BADD-EC1B3EECC029.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSDD14F8BC-0581-4972-9063-3C935F4E7018.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSDE5D4C7A-FE12-4F0D-A4B7-666BC69ABB71.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSE064939A-DB99-4BB0-B7B4-F966040D1E5D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSE772F805-191C-4D0C-98DB-B32DFF86B449.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSE81529E1-9F6E-4279-B128-7034C9E87055.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSEBA4961C-B584-4F73-8170-A7C1EF2B0A5B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSEEE97411-FFB8-4390-A317-22413C30B907.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSEF7BE403-CF6A-4B40-BC12-9FF290786D51.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSEFC5FBB0-6984-45F7-8E19-ABB64E05C458.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF016F372-17EA-4803-AE56-93DD76E858F1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF1BECCEE-8CAF-46DE-A9B5-3A100A0C0FFA.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF2317FA9-ADDC-4C8F-8BE0-5BA9487F8613.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF5755EDB-AB31-4B0C-BEE8-01C2599CD3DB.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF6864358-F54D-4608-80FD-5A9F5AB40E25.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF82E8967-68DC-4E65-AD43-78C60E7DB457.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF92EC889-8225-4468-A8CE-BB46F2CE2C9D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFAC81C05-C25E-46C5-BCB2-3B8B7E381EE5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFB7CC2B5-0ED4-415B-87DE-8A4621423C86.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFC9C8067-208E-4A4E-91AC-FE1CFF559B6B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFD3EA10C-A3A9-4C05-9F85-AA6DCB8A0E2E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFE0EF319-ADA9-4DCF-9410-5C84BDE80D60.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFF98D716-4F83-4B55-B362-8FC3E17FCC88.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFFDA3BB3-9BA5-48B5-B516-CCA6069E7F16.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFFE397AE-2CBB-4E21-8C1A-E932EFE09992.tmp Object is locked skipped
C:\Documents and Settings\davel\Application Data\Webroot\Spy Sweeper\Logs\070307153422.ses Object is locked skipped
C:\Documents and Settings\davel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\davel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\davel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\davel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\davel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\davel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\davel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Program Files\BHODemon 2\_BHODemon_DAVE1.log Object is locked skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\settings.dat Object is locked skipped
C:\Temp\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Temp\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Temp\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Temp\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Temp\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\DAVE1.ldb Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\ctrbgnf.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\eptzjll.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\gmnukvf.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\JRcobKvH.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\jszwhsjs.exe Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\msasdwe2.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\msiyuhev.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\olgjzn.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\pscmain2.exe Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\quvrnsl.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\slhmskd.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\sttool32.exe Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\szdyuai.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\ukvswnh.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\ylhiboj.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\zetronf.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\system32\zxyzvne.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINNT\Temp\ZLT041b3.TMP Object is locked skipped
C:\WINNT\Temp\ZLT041b9.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
Scan process completed.
davejellyfish
2007-03-21, 17:20
Still has DNS hijack:
Logfile of HijackThis v1.99.1
Scan saved at 2:42:13 PM, on 21/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\INTERN~1\iexplore.exe
C:\Documents and Settings\administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160154725230
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161287936483
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371290.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 85.255.116.56 85.255.112.146
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\system32\ctrbgnf.dll
C:\WINNT\system32\eptzjll.dll
C:\WINNT\system32\gmnukvf.dll
C:\WINNT\system32\JRcobKvH.dll
C:\WINNT\system32\jszwhsjs.exe
C:\WINNT\system32\msasdwe2.dll
C:\WINNT\system32\msiyuhev.dll
C:\WINNT\system32\olgjzn.dll
C:\WINNT\system32\pscmain2.exe
C:\WINNT\system32\quvrnsl.dll
C:\WINNT\system32\slhmskd.dll
C:\WINNT\system32\sttool32.exe
C:\WINNT\system32\szdyuai.dll
C:\WINNT\system32\ukvswnh.dll
C:\WINNT\system32\ylhiboj.dll
C:\WINNT\system32\zetronf.dll
C:\WINNT\system32\zxyzvne.dll
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Empty this folder:
C:\!KillBox
Empty Recycle Bin
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
davejellyfish
2007-03-22, 11:17
Hi
Looks like DNS still hijacked...
Logfile of HijackThis v1.99.1
Scan saved at 12:25:59 AM, on 22/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\INTERN~1\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\INTERN~1\iexplore.exe
C:\Documents and Settings\administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160154725230
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161287936483
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371290.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 85.255.116.56 85.255.112.146
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
davejellyfish
2007-03-22, 11:19
Hi
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 22, 2007 12:16:57 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build
2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 21/03/2007
Kaspersky Anti-Virus database records: 283957
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 35386
Number of viruses found: 2
Number of infected objects: 15
Number of suspicious objects: 2
Duration of the scan process: 01:37:09
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\administrator\Application Data\BitTorrent\bittorrent.log Object is locked skipped
C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\cert8.db Object is locked skipped
C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\history.dat Object is locked skipped
C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\key3.db Object is locked skipped
C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\parent.lock Object is locked skipped
C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\search.sqlite Object is locked skipped
C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\administrator\Application Data\Webroot\Spy Sweeper\Logs\070319201028.ses Object is locked skipped
C:\Documents and Settings\administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01 RarSFX: infected - 2 skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01 PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\History\History.IE5\MSHist012007032120070322\index.dat Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0114A532-8218-42D1-820C-B519CF37E9E2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS058853AE-2563-414B-B270-176916FB5B50.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS06B36C85-6216-481C-A945-B20C400467A2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS079EB578-9C93-4EC1-88D0-D9AB0214BEAB.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0A810CC0-973C-4A18-90AE-1BC8B24EFB49.tmp Object is locked skipped
MANY Spy Sweeper *.tmp files as 5 previoius omitted for brevity
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Program Files\BHODemon 2\_BHODemon_DAVE1.log Object is locked skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\settings.dat Object is locked skipped
C:\Temp\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Temp\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Temp\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Temp\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Temp\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\DAVE1.ldb Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{4BD284FF-AF5B-4E98-AFC7-550F1D16816B}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\Temp\ZLT01e3f.TMP Object is locked skipped
C:\WINNT\Temp\ZLT01e46.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi
Disconnect from internet (unplug network cable or close modem)
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
Post a fresh HijackThis log.
davejellyfish
2007-03-22, 22:22
Hi
The DNS hijack is still there - as he's using a USB ADSL modem with a connection that has to `opened` (like old dial-up telephony) rather than a LAN connection through a router, might we have to delete the `dial-up`connection, do the procedure, then get ISP installer to create a new one?
Logfile of HijackThis v1.99.1
Scan saved at 7:47:47 PM, on 22/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160154725230
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161287936483
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371290.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 85.255.116.56 85.255.112.146
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi
Yes, you can try that next :)
If that doesn't work, his ISP DNS servers may need to type manually.
davejellyfish
2007-03-25, 20:20
Hi
I went round there and think that it's OK now. I didn't have to delete the `dial-up` connection, just dug around in the connection settings' until it let me alter so that now obtains DNS servers automatically. Had some other things to sort out whilst there which involved a couple of reboots and Hungarian hijack didn't reappear whilst I was there. Anyway, here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 4:10:51 PM, on 25/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160154725230
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161287936483
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371290.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 212.139.132.23 212.139.132.22
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi
Yes, it looks good now :)
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Post:
- a fresh HijackThis log
- kaspersky report
davejellyfish
2007-03-26, 21:36
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 26, 2007 7:21:09 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 26/03/2007
Kaspersky Anti-Virus database records: 286267
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 40773
Number of viruses found: 4
Number of infected objects: 14
Number of suspicious objects: 2
Duration of the scan process: 01:09:41
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\administrator\Application Data\Webroot\Spy Sweeper\Logs\070322131745.ses Object is locked skipped
C:\Documents and Settings\administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\administrator\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01 RarSFX: infected - 2 skipped
C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3bye71h.default\Cache\63329BDCd01 PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS00AEA0AC-7454-4CD2-80BD-834A58259DC4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS022ED022-2066-412A-895D-DC33A54F3ABD.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0444D276-1194-46BE-9F6C-6F834667C563.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0526E37A-55DA-47D7-A110-0D493E948516.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS08480512-0CED-4480-9BAC-A8295A74A999.tmp Object is locked skipped
Numerous Spy Sweeper tmp files removed for brevity
C:\Documents and Settings\davel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\davel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\davel\Local Settings\Temporary Internet Files\Content.IE5\S5M7K9QV\arr3[1].jar/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
C:\Documents and Settings\davel\Local Settings\Temporary Internet Files\Content.IE5\S5M7K9QV\arr3[1].jar/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\davel\Local Settings\Temporary Internet Files\Content.IE5\S5M7K9QV\arr3[1].jar/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\davel\Local Settings\Temporary Internet Files\Content.IE5\S5M7K9QV\arr3[1].jar ZIP: infected - 3 skipped
C:\Documents and Settings\davel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\davel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Program Files\BHODemon 2\_BHODemon_DAVE1.log Object is locked skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\settings.dat Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\DAVE1.ldb Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\Temp\ZLT0060c.TMP Object is locked skipped
C:\WINNT\Temp\ZLT00612.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
Scan process completed.
davejellyfish
2007-03-26, 21:38
Logfile of HijackThis v1.99.1
Scan saved at 7:26:01 PM, on 26/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\INTERN~1\iexplore.exe
C:\Documents and Settings\administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160154725230
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161287936483
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371290.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E21D6359-AE4F-45DB-B31E-931F624E4752}: NameServer = 212.139.132.23 212.139.132.22
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi
Empty Internet Explorer temporary internet files.
Otherwise looking good :)
How are things running now?
davejellyfish
2007-03-28, 15:42
Hi
Haven't heard back from him since Tuesday morning before I got your latest post, but when I was over on Sunday everything was running much more smoothly.
One thing that continues to perplex though: In Windows Explorer, when you click on a WAV or an mp3 file, you get a message along the lines of "explorer performed an illegal operation and has to close", and explorer closes. I can only assume that it's something to do with something that's been removed/become decoupled. I downloaded ShellExView from nir soft but in the limited time I had didn't get very far with the problem (also, these tend to be for right click context menu extensions don't they?). In hindsight (always wonderful), I think that it might be something to do with the way Windows 2K will attempt to read and/or play a music file when you click on it in Explorer. Then it displays tape controls and locks the file, preventing user from moving it. Have you any insights that might be useful?
BTW: thanks for all your help so far, it's much appreciated
Dave
Hi
Sorry, I don't think that I can help with that issue but I can redirect you to some forum which might be able to, if you like.
Any other problems?
davejellyfish
2007-03-28, 18:29
Can't think of any other problems though if you could point me in the right direction re clicking on music files in explorer that would be great, thanks
Dave
Hi
As for that sound issue, I'd recommend these forums:
Bleepingcomputer (http://www.bleepingcomputer.com/forums/)
pcpitstop (http://pcpitstop.com/)
You're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.