PDA

View Full Version : Blank white popup Internet explorer windows



cedoo
2007-06-01, 03:12
On my PC from time to time blank white popup Internet explorer windows appears by itself with nothing on it. In history I see that they are related with something like www.go.itemdb.com site. Then I do CTRL-ALT-DEL and in Task Manager I killed that window, until it appeares again in couple of hours. As PC stayed working all night long, in the morning I found 5-6 open white blank windows that I killed with Task Manager. In Restricted sites I add this suspicious web address. What is this, and what to do to stop it?

cedoo
2007-06-01, 12:49
Logfile of HijackThis v1.99.1
Scan saved at 11:35:05 AM, on 01.06.2007.
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\chkdisk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\VirtuaWin\modules\VWAssigner.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Cedo\Programi\utorrent\utorrent.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Cedo\Programi\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe regchk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UninstalTime] chkdisk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Global Startup: VirtuaWin.lnk = C:\Program Files\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOADFO~1\RNetPin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\oracle\tools\6i\BIN\ONRSD80.EXE
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Blade81
2007-06-05, 22:10
Hi

Start hjt, click do a system scan only, check:
F2 - REG:system.ini: Shell=explorer.exe regchk.exe
O4 - HKLM\..\Run: [UninstalTime] chkdisk.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all browsers and other windows. Click fix checked.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Download
SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip)
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :
Restart your computer
After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press
Enter
.
Choose your usual account.

In Safe Mode, delete:
C:\WINDOWS\web\related.htm
C:\WINDOWS\System32\chkdisk.exe
After that right click the SDFix.zip folder and choose Extract
All,
Open the extracted folder and double click RunThis.bat to
start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool
will be running and removing files.
When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum with
a new HijackThis log


Please do an online scan with
Kaspersky
WebScanner (http://www.kaspersky.com/virusscanner) (use Internet Explorer)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
The program will launch and then begin downloading the latest
definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise
Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been
infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post with a fresh hjt log.


Summary of logs to be posted:
-a fresh hjt
-Kaspersky webscanner raport
-contents of the SDFix results file Report.txt

cedoo
2007-06-07, 19:16
Note: there is no SDFix.zip archive, but there is SDFix.exe installation

ScanFixed mentioned rows in HijackThis.
In Safe mode deleted two mentioned files.

Here is SDFix report:


SDFix: Version 1.87

Run by cedo - Thu 06/07/2007 - 17:54:05.14

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Listing Files with Hidden Attributes:

C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipw146.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipw147.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipw148.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipw149.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipw14A.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipw14B.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwCE.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwCF.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwD0.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwD1.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwD2.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwD3.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwDE.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwDF.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwE0.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwE1.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwE2.tmp
C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\ipwE3.tmp
C:\Documents and Settings\cedo.ESOFT\My Documents\Cedo\Muzika\CD i DVD katalozi\Slobo\~WRL0082.tmp
C:\Documents and Settings\cedo.ESOFT\My Documents\Cedo\Muzika\CD i DVD katalozi\Slobo\~WRL3772.tmp

Listing User Accounts:

User accounts for \\GANDALF

Administrator ASPNET cedo
Guest HelpAssistant SUPPORT_388945a0


Finished

cedoo
2007-06-07, 19:20
Logfile of HijackThis v1.99.1
Scan saved at 6:17:08 PM, on 07.06.2007.
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\VirtuaWin\modules\VWAssigner.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Cedo\Programi\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Global Startup: VirtuaWin.lnk = C:\Program Files\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOADFO~1\RNetPin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\oracle\tools\6i\BIN\ONRSD80.EXE
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Blade81
2007-06-07, 20:48
Hi

Could you post that Kaspersky webscanner log too, please? :)

cedoo
2007-06-08, 12:59
I will post Kaspersky log as soon as it finish scanning. It is working almost 16 hours and is at 25%, so it is likely that I will post it Monday morning. There are some viruses reported, but I think that most of them are already in Norton quarantine, but will see when finished.

Since HijackThis ScanFix and SDFix repairs there is no more selfopening blank white Internet explorer windows at the moment.

cedoo
2007-06-08, 13:25
Well, I must correct myself, cause scanning was went to mapped network drives, so I stopped it, and here is log for my PC, that is of interest for now.

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Friday, June 08, 2007 12:14:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build
2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/06/2007
Kaspersky Anti-Virus database records: 341408


Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
C:\

Scan Statistics
Total number of scanned objects 146734
Number of viruses found 41
Number of infected objects 105 / 0
Number of suspicious objects 3
Duration of the scan process 17:26:16

Infected Object NameVirus NameLast Action
C:\Cedo\Install\To install\decoder_setup.exe/WISE0017.BIN/data0005
Infected: Trojan-Downloader.Win32.Agent.ac skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0017.BIN/data0006
Infected: Trojan-Downloader.Win32.Turown.i skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0017.BIN/data0008
Infected: Trojan-Downloader.Win32.Turown.g skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0017.BIN/data0011
Infected: Trojan-Downloader.Win32.Turown.i skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0017.BIN/data0013
Infected: Trojan-Downloader.Win32.VB.cw skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0017.BIN Infected:
Trojan-Downloader.Win32.VB.cw skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0018.BIN/NHInstall.exe
Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped

C:\Cedo\Install\To
install\decoder_setup.exe/WISE0018.BIN/v2.0.4a.cab/NHelper.dll Infected:
not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\Cedo\Install\To
install\decoder_setup.exe/WISE0018.BIN/v2.0.4a.cab/NHUninstaller.exe
Infected: not-a-virus:AdWare.Win32.NavExcel skipped

C:\Cedo\Install\To
install\decoder_setup.exe/WISE0018.BIN/v2.0.4a.cab/NHUpdater.exe Infected:
not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0018.BIN/v2.0.4a.cab
Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0018.BIN Infected:
not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0019.BIN/data0002
Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0019.BIN/data0003
Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0019.BIN/data0005
Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0019.BIN Infected:
not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0020.BIN Infected:
not-a-virus:AdWare.Win32.MyWay.c skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0021.BIN Infected:
not-a-virus:AdWare.Win32.EZula.a skipped

C:\Cedo\Install\To
install\decoder_setup.exe/WISE0024.BIN/data0001.cab/Save.exe Infected:
not-a-virus:AdWare.Win32.SaveNow.c skipped

C:\Cedo\Install\To
install\decoder_setup.exe/WISE0024.BIN/data0001.cab/SaveUninst.exe
Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0024.BIN/data0001.cab
Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped

C:\Cedo\Install\To
install\decoder_setup.exe/WISE0024.BIN/data0002.cab/Sync.exe Infected:
not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\Cedo\Install\To
install\decoder_setup.exe/WISE0024.BIN/data0002.cab/Uninst.exe Infected:
not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0024.BIN/data0002.cab
Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\Cedo\Install\To install\decoder_setup.exe/WISE0024.BIN Infected:
not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\Cedo\Install\To install\decoder_setup.exe WiseSFX: infected - 25
skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common
Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\Symantec\LiveUpdate\2007-06-07_Log.ALUSchedulerSvc.LiveUpdate Object
is locked skipped

C:\Documents and Settings\cedo.ESOFT\Cookies\index.dat Object is locked
skipped

C:\Documents and Settings\cedo.ESOFT\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\cedo.ESOFT\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\cedo.ESOFT\Local
Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\cedo.ESOFT\Local
Settings\History\History.IE5\MSHist012007060720070608\index.dat Object is
locked skipped

C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\Del3.tmp
Infected: Trojan-Downloader.Win32.Small.asd skipped

C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\Free Download
Manager\tic1C5.tmp Object is locked skipped

C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\Free Download
Manager\tic4.tmp Object is locked skipped

C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\Free Download
Manager\tic6.tmp Object is locked skipped

C:\Documents and Settings\cedo.ESOFT\Local Settings\Temp\Free Download
Manager\tic7.tmp Object is locked skipped

C:\Documents and Settings\cedo.ESOFT\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\cedo.ESOFT\My
Documents\Razno\AdvancedDVDPlayerPro113setup.exe/data0014/data0001.cab/VVSN.exe
Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\cedo.ESOFT\My
Documents\Razno\AdvancedDVDPlayerPro113setup.exe/data0014/data0001.cab
Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\cedo.ESOFT\My
Documents\Razno\AdvancedDVDPlayerPro113setup.exe/data0014 Infected:
not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\cedo.ESOFT\My
Documents\Razno\AdvancedDVDPlayerPro113setup.exe/data0016 Infected:
not-a-virus:Server-Proxy.Win32.MarketScore.j skipped

C:\Documents and Settings\cedo.ESOFT\My
Documents\Razno\AdvancedDVDPlayerPro113setup.exe Inno: infected - 4
skipped

C:\Documents and Settings\cedo.ESOFT\My
Documents\Razno\CliprexdsDVDfree.exe/stream/data0009 Infected:
not-a-virus:AdWare.Win32.NewDotNet.d skipped

C:\Documents and Settings\cedo.ESOFT\My
Documents\Razno\CliprexdsDVDfree.exe/stream/data0010 Infected:
not-a-virus:AdWare.Win32.MyWay.j skipped

C:\Documents and Settings\cedo.ESOFT\My
Documents\Razno\CliprexdsDVDfree.exe/stream/data0011 Infected:
not-a-virus:AdWare.Win32.180Solutions skipped

C:\Documents and Settings\cedo.ESOFT\My
Documents\Razno\CliprexdsDVDfree.exe/stream Infected:
not-a-virus:AdWare.Win32.180Solutions skipped

C:\Documents and Settings\cedo.ESOFT\My
Documents\Razno\CliprexdsDVDfree.exe NSIS: infected - 4 skipped

C:\Documents and Settings\cedo.ESOFT\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\cedo.ESOFT\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped


C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked
skipped

C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE
Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped

C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL
Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped

C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE
Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped

C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE ZIP: infected - 3 skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton AntiVirus\Quarantine\00FC3BE1.exe Infected:
Trojan-Downloader.Win32.Agent.fr skipped

C:\Program Files\Norton AntiVirus\Quarantine\0429690A Infected:
Trojan.Java.Femad skipped

C:\Program Files\Norton AntiVirus\Quarantine\057272D2 Infected:
Trojan.Java.Femad skipped

C:\Program Files\Norton AntiVirus\Quarantine\0B557BDF Infected:
Trojan-Dropper.Win32.Small.lu skipped

C:\Program Files\Norton AntiVirus\Quarantine\0E9549A9 Infected:
Exploit.HTML.CodeBaseExec skipped

C:\Program Files\Norton AntiVirus\Quarantine\21051543.zip/Xeyond.class
Infected: Trojan.Java.Femad skipped

C:\Program Files\Norton AntiVirus\Quarantine\21051543.zip ZIP: infected -
1 skipped

C:\Program Files\Norton AntiVirus\Quarantine\21051543.zip CryptFF:
infected - 1 skipped

C:\Program Files\Norton AntiVirus\Quarantine\250F382B.EXE Infected:
Virus.Win32.Parite.b skipped

C:\Program Files\Norton AntiVirus\Quarantine\38B73261.exe Infected:
Backdoor.Win32.HacDef.e skipped

C:\Program Files\Norton AntiVirus\Quarantine\3B082977 Infected:
Trojan-Downloader.JS.IstBar.j skipped

C:\Program Files\Norton AntiVirus\Quarantine\406108B7.exe Infected:
Backdoor.Win32.HacDef.e skipped

C:\Program Files\Norton AntiVirus\Quarantine\45F1502D.zip/GetAccess.class
Infected: Trojan.Java.ClassLoader.c skipped

C:\Program Files\Norton
AntiVirus\Quarantine\45F1502D.zip/InsecureClassLoader.class Infected:
Exploit.Java.ByteVerify skipped

C:\Program Files\Norton AntiVirus\Quarantine\45F1502D.zip/Dummy.class
Infected: Trojan.Java.ClassLoader.Dummy.a skipped

C:\Program Files\Norton AntiVirus\Quarantine\45F1502D.zip/Installer.class
Infected: Trojan-Downloader.Java.OpenConnection.v skipped

C:\Program Files\Norton AntiVirus\Quarantine\45F1502D.zip ZIP: infected -
4 skipped

C:\Program Files\Norton AntiVirus\Quarantine\45F1502D.zip CryptFF:
infected - 4 skipped

C:\Program Files\Norton AntiVirus\Quarantine\45F47A2A.htm Suspicious:
Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\45F72426.gif Infected:
Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\625133E6 Infected:
Trojan.Java.Femad skipped

C:\Program Files\Norton AntiVirus\Quarantine\76CC4838.exe Infected:
Trojan-Dropper.Win32.Small.lu skipped

C:\Program Files\Norton AntiVirus\Quarantine\76DC1A26.zip/GetAccess.class
Infected: Trojan.Java.ClassLoader.c skipped

C:\Program Files\Norton
AntiVirus\Quarantine\76DC1A26.zip/InsecureClassLoader.class Infected:
Exploit.Java.ByteVerify skipped

C:\Program Files\Norton AntiVirus\Quarantine\76DC1A26.zip/Dummy.class
Infected: Trojan.Java.ClassLoader.Dummy.a skipped

C:\Program Files\Norton AntiVirus\Quarantine\76DC1A26.zip/Installer.class
Infected: Trojan-Downloader.Java.OpenConnection.v skipped

C:\Program Files\Norton AntiVirus\Quarantine\76DC1A26.zip ZIP: infected -
4 skipped

C:\Program Files\Norton AntiVirus\Quarantine\76DC1A26.zip CryptFF:
infected - 4 skipped

C:\Program Files\Norton AntiVirus\Quarantine\76DF4423.exe Infected:
Trojan-Dropper.Win32.Small.lu skipped

C:\Program Files\Windows Media Player\wmplayer.exe.tmp Infected:
Trojan-Downloader.Win32.Small.asd skipped

C:\System Volume
Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP534\A0042074.exe
Infected: Trojan.Win32.Agent.aff skipped

C:\System Volume
Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP535\change.log
Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped



Scan was interrupted by user!

Blade81
2007-06-09, 01:10
Hi again :)

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.

Click the
Download
button to the right.
Check the box that says:
Accept License Agreement.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.




Maybe we should use AVG to make sure there isn't anything on those files which were not scanned 'cos interrupted scan.


Downloading needed applications
-------------------------------

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop. Don't run ATF yet. Will do it a bit later.

Reboot into safe mode (press F8 before Windows' loading screen and select safe mode)


Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.


Post AVG Anti-Spyware log & a fresh HJT log.

cedoo
2007-06-12, 12:22
Sorry for delay, please allow me one or two days to complete task.
Best regards!

Blade81
2007-06-12, 19:52
Ok. Will be waiting for your input :)

Blade81
2007-06-19, 16:15
Cedoo,

are you still there?

Blade81
2007-06-26, 17:34
Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.