View Full Version : Smitfraud-C.Toolbar888 and CiD: popups
Dear Spybot S&D team!
I have a malware that causes popup advertisements in boxes titled Cid: .
At least I think this is what causes those advertisements, because they won't go away no matter what I do. My guess would be that I got it by running the Winzix "compression utility" from www.winzix.com. (not WinZip).
According to Spybot S&D I have a Smitfraud-C.Toolbar888 thing, in my
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR.
Spybot appears to remove this but if I rerun it, its there again.
I did all according to the "BEFORE you POST" message.
I've run the http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx online scanner.
Scan Results: Scan Completed. 216156 files scanned. No viruses found.
Sorry, I don't know how to make this CA scanner to make a log of the result (does it make one in case there is nothing found?)
I have Nod32 and Zonealarm running in the background, I turned Nod32 file monitor off during the online scan.
One more thing: my Win Xp is in Hungarian language so if you see some Hungarian text (e.g. szervizcsomag instead of service pack) thats the reason.
Thanks for your help in advance.
Here is my Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:59:41, on 2007.06.11.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
E:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [cFosSpeed] E:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [moreliveflagsect] C:\Documents and Settings\All Users.WINDOWS\Application Data\Dead Does More Live\PlanBore.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Base About] C:\DOCUME~1\Dani\APPLIC~1\AXISSA~1\bolt mail.exe
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Kutatás - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D71770-F8A7-47EF-BBCF-4AE7B8A11D7D}: NameServer = 194.149.0.157 194.149.0.156
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winjrs32 - C:\WINDOWS\SYSTEM32\winjrs32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - E:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi K_Dani
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Please Download NoLop to your desktop from one of the links below...
Link 1 (http://www.spywareedge.net/nolop/NoLop.exe)
Link 2 (http://www.spywaretimes.com/Tools/Download/Anti-malwareTools/NoLop!/)
Link 3 (http://www.thespykiller.co.uk/index.php?action=tpmod;dl=get16)
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to your system32 folder then rerun the program. --
Post:
- a fresh HijackThis log
- vundofix report
- nolop log
Dear Shaba,
I appreciate your help.
I've run Vundo and Nolog.
They both came up empty handed. It may be because I've tried them before contacting the forum. Sorry if that messed things up. The popups are still there and Spybot still finds Smitfraud. As far as I remember, Vundo found nothing on the first run but Nolog found and appearently seems to have removed one item as it doesn't find it again.
I have also run a full Nod32 check before writing to the forum and it also killed some stuff:
This week: Win32/Agent.QT, Java/ClassLoader.B, Java/Dummy, Java/ClassLoader.H, Java/TrojanDownloader.OpenStream.W
Three weeks ago: Win32/TrojanDownloader.Zlob.AIT
I have also found something that may be a clue: I found a delete.bat file, fresh date and time in my C: root, which includes this text 6 times:
"@ECHO OFF
del "%programfiles%\Adverts\uninst.exe" /Q > NUL 2> NUL
rmdir "%programfiles%\Adverts" > NUL"
Does this ring any bells with you? I wonder what would happen if I erased the text in this file and then kept it write protected - would I have an uninstall oportunity for the ads?
Anyway, here are the logs you asked for:
VundoFix V6.5.0
Checking Java version...
Scan started at 5:14:29 2007.06.11.
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.0
Checking Java version...
Scan started at 5:27:10 2007.06.13.
Listing files found while scanning....
No infected files were found.
--------------------------------------------------------------------------
NoLop! Log by Skate_Punk_21
Please Note: any existing old logs will have now been renamed to NoLop!OLD.log
Fix running from: C:\Program Files\Mozilla Firefox
[2007.06.13.]
[6:03:07]
---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.
---Listing AppData sub directories---
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users.windows\Application Data\Acd Systems
C:\Documents and Settings\All Users.windows\Application Data\Adobe
C:\Documents and Settings\All Users.windows\Application Data\Adobe Systems
C:\Documents and Settings\All Users.windows\Application Data\Apple Computer
C:\Documents and Settings\All Users.windows\Application Data\Dead Does More Live
C:\Documents and Settings\All Users.windows\Application Data\Google
C:\Documents and Settings\All Users.windows\Application Data\Lavasoft
C:\Documents and Settings\All Users.windows\Application Data\Microsoft
C:\Documents and Settings\All Users.windows\Application Data\Nero
C:\Documents and Settings\All Users.windows\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User.windows\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice.nt Authority\Application Data\Microsoft
C:\Documents and Settings\Maci\Application Data\Acd Systems
C:\Documents and Settings\Maci\Application Data\Adobe
C:\Documents and Settings\Maci\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Maci\Application Data\Ahead
C:\Documents and Settings\Maci\Application Data\Apple Computer
C:\Documents and Settings\Maci\Application Data\Ati
C:\Documents and Settings\Maci\Application Data\Azureus
C:\Documents and Settings\Maci\Application Data\Canon
C:\Documents and Settings\Maci\Application Data\Digilabor 3
C:\Documents and Settings\Maci\Application Data\Google
C:\Documents and Settings\Maci\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Maci\Application Data\Identities
C:\Documents and Settings\Maci\Application Data\Lavasoft
C:\Documents and Settings\Maci\Application Data\Macromedia
C:\Documents and Settings\Maci\Application Data\Microsoft
C:\Documents and Settings\Maci\Application Data\Mozilla
C:\Documents and Settings\Maci\Application Data\Pixmantec -- EMPTY Directory
C:\Documents and Settings\Maci\Application Data\Sun
C:\Documents and Settings\Maci\Application Data\Talkback
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice.nt Authority\Application Data\Microsoft
C:\Documents and Settings\Rendszergazda\Application Data\Microsoft
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:50:03, on 2007.06.13.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
E:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [cFosSpeed] E:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [moreliveflagsect] C:\Documents and Settings\All Users.WINDOWS\Application Data\Dead Does More Live\PlanBore.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Base About] C:\DOCUME~1\Dani\APPLIC~1\AXISSA~1\bolt mail.exe
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Kutatás - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D71770-F8A7-47EF-BBCF-4AE7B8A11D7D}: NameServer = 194.149.0.157 194.149.0.156
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winjrs32 - C:\WINDOWS\SYSTEM32\winjrs32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - E:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
This planbore.exe seems fishy to me, have you heard of that file?
best regards
Daniel Kalman
Hi!
I seem to have got rid of Smitfraud and Cid!
What I did:
-Renamed the suspicious C:\windows\sytem32\winjrs32.dll
-Renamed the suspicious All users.windows\application data\Dead Does More Live directory, which included a Planbore.exe and a Cdromload.exe (possibly random names)
-Renamed the suspicious ... user\application data\axis safedirectory, which included a bolt mail.exe, copy readme info.exe, qyvkyzlp.exe and yufwtubm.exe (possibly random names)
-Deleted the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR found earlier by Spybot S&D which it couldn't kill until some of these above listed programs were in memory.
-Emptied delete.bat and write protected it in C: root (might not have anything to do with the whole thing)
Rebooted the PC, scanned with Spybot. Smitfraud was not there! It found only 2 tracking cookies.
Here is a fresh Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:28:12, on 2007.06.13.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Nero\Nero 7\Core\nero.exe
E:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [cFosSpeed] E:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Kutatás - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D71770-F8A7-47EF-BBCF-4AE7B8A11D7D}: NameServer = 194.149.0.157 194.149.0.156
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - E:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Please let me know if you disagree with something I did or if you see any more threats to my security (java version for example).
Thanks
Daniel
Hi
Well actually nolop didn't came empty.
Open HijackThis, click do a system scan only and checkmark these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)
Close all windows including browser and press fix checked.
Boot in safe mode
Delete those renamed folders/files.
Reboot
Post a fresh HijackThis log.
Dear Shaba,
Here is my fresh HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:44:41, on 2007.06.14.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\msiexec.exe
E:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [cFosSpeed] E:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Kutatás - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D71770-F8A7-47EF-BBCF-4AE7B8A11D7D}: NameServer = 194.149.0.157 194.149.0.156
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - E:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Is my PC clean now?
Actually I'm pretty dissappointed with Nod32 (updated daily) that it skipped this malware even after it was removed from memory.
Daniel
Hi
We'll find out soon.
No AV can find all viruses, that's a sad fact.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Post:
- a fresh HijackThis log
- kaspersky report
Hi!
Kaspersky found some stuff, mostly in the quarantine of Nod32, in the Recycle bin and in temporary internet files which I've deleted since.
I will post in 2 messages.
KASPERSKY ONLINE SCANNER REPORT
Friday, June 15, 2007 12:36:36 AM
Operating System: Microsoft Windows XP Professional, Szervizcsomag 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/06/2007
Kaspersky Anti-Virus database records: 346759
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 225931
Number of viruses found 15
Number of infected objects 111
Number of suspicious objects 8
Duration of the scan process 02:33:20
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Dani\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Identities\{22FA0AD0-C37A-40C3-8CF6-44F7BD556EB6}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Identities\{22FA0AD0-C37A-40C3-8CF6-44F7BD556EB6}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\History\History.IE5\MSHist012007061420070615\index.dat Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Temp\IH131.tmp Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Temporary Internet Files\Content.IE5\854LYVO5\xc60[1].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Dani\Local Settings\Temporary Internet Files\Content.IE5\C9UZSTA7\promotearea[1].swf Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Temporary Internet Files\Content.IE5\KB9326FX\banner851[1].gif Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Dani\Local Settings\Temporary Internet Files\Content.IE5\PBJF5XGE\banner851[1].gif Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Dani\Local Settings\Temporary Internet Files\Content.IE5\PBJF5XGE\banner851[2].gif Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Dani\Local Settings\Temporary Internet Files\Content.IE5\UB2LQPWJ\antzom[1].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Dani\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dani\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Maci\.krtitok.ini Object is locked skipped
C:\Documents and Settings\Maci\.krtitok.log Object is locked skipped
C:\Documents and Settings\Maci\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Maci\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Maci\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Maci\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Maci\Local Settings\History\History.IE5\MSHist012007061420070615\index.dat Object is locked skipped
C:\Documents and Settings\Maci\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\Maci\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0001\~efe2.tmp Object is locked skipped
C:\Documents and Settings\Maci\Local Settings\Temp\Photoshop Temp322328 Object is locked skipped
C:\Documents and Settings\Maci\Local Settings\Temporary Internet Files\Content.IE5\2VBBV9OR\xc60[1].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Maci\Local Settings\Temporary Internet Files\Content.IE5\4DIFC5IF\antzom[1].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Maci\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Maci\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Maci\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Downloads\20DTW541EN.exe Object is locked skipped
C:\Downloads\20DWI541EN.exe Object is locked skipped
C:\Downloads\v1.jpg Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\3ISQVOAA.NQF Infected: Trojan.Win32.Obfuscated.en skipped
C:\Program Files\ESET\infected\AGPKCFCA.NQF Infected: Trojan.Win32.Dialer.qn skipped
C:\Program Files\ESET\infected\OAGCYRCA.NQF Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\ESET\infected\SA0GWODA.NQF/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.alj skipped
C:\Program Files\ESET\infected\SA0GWODA.NQF/stream Infected: Trojan-Downloader.Win32.Zlob.alj skipped
C:\Program Files\ESET\infected\SA0GWODA.NQF NSIS: infected - 2 skipped
C:\Program Files\ESET\infected\SA0GWODA.NQF UPX: infected - 2 skipped
C:\Program Files\ESET\infected\SA0GWODA.NQF PE_Patch.UPX: infected - 2 skipped
C:\Program Files\ESET\infected\SA0GWODA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\SOJRGLBA.NQF Infected: Trojan.Win32.Obfuscated.en skipped
C:\Program Files\ESET\infected\USOZGTBA.NQF Infected: Trojan.Win32.Obfuscated.en skipped
C:\Program Files\ESET\infected\YUI4PWAA.NQF Infected: Trojan.Win32.Agent.qt skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF/data.rar/plugin/Network/netcat/files/nc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF/data.rar/plugin/Network/VNCServer/vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF/data.rar/plugin/Network/VNCServer/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF/data.rar/plugin/Network/VNCServer/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF/data.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF RarSFX: infected - 9 skipped
C:\Program Files\ESET\infected\ZDA4VKAA.NQF PE-Crypt.XorPE: infected - 9 skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\InstallShield Installation Information\{07B02BD4-E799-4945-B240-166CA9A9BE2D}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{CFF8E668-1954-44CC-A342-FED2CC0601CA}\Setup.ilg Object is locked skipped
C:\Program Files\The Bat!\Mail\Locsei2\ATTACH\kieffer.GIF Infected: Trojan-Spy.HTML.Bayfraud.in skipped
C:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\Dc32\bolt mail.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\Dc32\Copy Readme Info.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\Dc32\qyvkyzlp.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\Dc32\yufwtubm.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\Dc33.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\Dc8\CDROMLOAD.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\Dc8\PlanBore.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DANIGEP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\win155.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\win169.tmp.exe Infected: Trojan-Downloader.Win32.Small.dod skipped
C:\WINDOWS\Temp\win1B2.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\win2A3.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\win30.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\ZLT01f91.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT01f94.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\keykey.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\kkmon.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\slman.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\slview.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Locsei2\ATTACH\kieffer.GIF Infected: Trojan-Spy.HTML.Bayfraud.in skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Inbox\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Inbox\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Inbox\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Inbox\MESSAGES.TBB Mail: suspicious - 3 skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Trash\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Trash\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Trash\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Trash\MESSAGES.TBB Mail: suspicious - 3 skipped
C:\_szerviz_mentés\Mail_mentés\Locsei2\ATTACH\kieffer.GIF Infected: Trojan-Spy.HTML.Bayfraud.in skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Mentés\The_Bat_Mail\Locsei2\ATTACH\kieffer.GIF Infected: Trojan-Spy.HTML.Bayfraud.in skipped
E:\Mentés\_EmberDownload\kk2000.zip/keykey._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/keykey._nt Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/keykey._sy Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/kkdrv._dl Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/kkmon._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/Loadkk._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/LoadWin._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/sldrv._dl Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/slman._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/slview._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/Vkeykeyd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/Vprotkkd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip ZIP: infected - 12 skipped
E:\Mentés\_EmberDownload\Video\DivXPro502GAINBundle.exe/Gain_Trickler.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
E:\Mentés\_EmberDownload\Video\DivXPro502GAINBundle.exe Vise: infected - 1 skipped
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip ZIP: infected - 3 skipped
E:\Program Files\ESET\infected\MEHQ0WDA.NQF/data0002 Infected: Trojan-Clicker.Win32.VB.gl skipped
E:\Program Files\ESET\infected\MEHQ0WDA.NQF NSIS: infected - 1 skipped
E:\Program Files\ESET\infected\MEHQ0WDA.NQF PE-Crypt.XorPE: infected - 1 skipped
E:\Program Files\The Bat!\Mail\Locsei2\ATTACH\kieffer.GIF Infected: Trojan-Spy.HTML.Bayfraud.in skipped
E:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\De1.exe/file1 Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
E:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\De1.exe/file2 Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
E:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\De1.exe/file7 Infected: Trojan.Win32.Obfuscated.en skipped
E:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\De1.exe Inno: infected - 3 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\_EmberDownload\acdsee_pro8__keygen.ZIP/patch_.exe/data0002 Infected: Trojan-Clicker.Win32.VB.gl skipped
E:\_EmberDownload\acdsee_pro8__keygen.ZIP/patch_.exe Infected: Trojan-Clicker.Win32.VB.gl skipped
E:\_EmberDownload\acdsee_pro8__keygen.ZIP ZIP: infected - 2 skipped
E:\_EmberDownload\kk2000.zip/keykey._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/keykey._nt Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/keykey._sy Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/kkdrv._dl Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/kkmon._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/Loadkk._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/LoadWin._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/sldrv._dl Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/slman._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/slview._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/Vkeykeyd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/Vprotkkd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip ZIP: infected - 12 skipped
E:\_EmberDownload\Nero-7.8.5.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
E:\_EmberDownload\Nero-7.8.5.0_eng_trial.exe RAR: infected - 1 skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/Network/netcat/files/nc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/Network/VNCServer/vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/Network/VNCServer/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/Network/VNCServer/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\_EmberDownload\UBCD4WinV30.exe RarSFX: infected - 9 skipped
E:\_EmberDownload\Video\DivXPro502GAINBundle.exe/Gain_Trickler.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
E:\_EmberDownload\Video\DivXPro502GAINBundle.exe Vise: infected - 1 skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip ZIP: infected - 3 skipped
Scan process completed.
------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:46:24, on 2007.06.15.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\The Bat!\thebat.exe
E:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [cFosSpeed] E:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Kutatás - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D71770-F8A7-47EF-BBCF-4AE7B8A11D7D}: NameServer = 194.149.0.157 194.149.0.156
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - E:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Any of these sound dangerous?
Let me know what you think.
thanks
Daniel
Hi
For which purpose you have used these?
C:\_Régi gépröl\C\Program Files\KEYKEY\keykey.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\kkmon.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\slman.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\slview.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/keykey._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/keykey._nt Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/keykey._sy Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/kkdrv._dl Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/kkmon._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/Loadkk._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/LoadWin._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/sldrv._dl Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/slman._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/slview._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/Vkeykeyd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/Vprotkkd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip ZIP: infected - 3 skipped
Dear Shaba,
I've used Keykey to spy on the 12 year old kid who is supposed to walk my dog but watches pussies on the internet instead on my PC.
Windows XP keyfinder does what the name says, tells you what serial number your windows and office was installed with, in case you forgot.
UBCD4Win creates a bootable CD that, quote "which contains software that allows you to repair, restore, or diagnose almost any computer problem."
Thanks for your help, best regards
Daniel Kalman
ps. I've donated some bucks to the Spybot team for the great help of this forum.
Hi
Ok :) Sorry, but I needed to check.
Empty Internet explorer temporary internet files
Empty these folders:
C:\WINDOWS\Temp\
C:\Program Files\ESET\infected\
Delete this:
E:\_EmberDownload\Video\DivXPro502GAINBundle.exe
Empty Recycle Bin
Delete these mails:
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Inbox\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Inbox\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Inbox\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Inbox\MESSAGES.TBB Mail: suspicious - 3 skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Trash\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Trash\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\_Régi gépröl\D\Program Files\The Bat!\Mail\Principium\Trash\MESSAGES.TBB/[From asiagumi@asiagumi.com][Date Tue, 5 Dec 2006 20:59:52 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
Dear Shaba,
Here is my new Kaspersky report:
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 16, 2007 6:48:37 PM
Operating System: Microsoft Windows XP Professional, Szervizcsomag 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 16/06/2007
Kaspersky Anti-Virus database records: 347503
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 190790
Number of viruses found 9
Number of infected objects 61
Number of suspicious objects 0
Duration of the scan process 02:21:35
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Dani\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Identities\{22FA0AD0-C37A-40C3-8CF6-44F7BD556EB6}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Identities\{22FA0AD0-C37A-40C3-8CF6-44F7BD556EB6}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\History\History.IE5\MSHist012007061620070617\index.dat Object is locked skipped
C:\Documents and Settings\Dani\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dani\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dani\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Maci\.krtitok.ini Object is locked skipped
C:\Documents and Settings\Maci\.krtitok.log Object is locked skipped
C:\Documents and Settings\Maci\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Downloads\20DTW541EN.exe Object is locked skipped
C:\Downloads\20DWI541EN.exe Object is locked skipped
C:\Downloads\v1.jpg Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\InstallShield Installation Information\{07B02BD4-E799-4945-B240-166CA9A9BE2D}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{CFF8E668-1954-44CC-A342-FED2CC0601CA}\Setup.ilg Object is locked skipped
C:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\Dc10.GIF Infected: Trojan-Spy.HTML.Bayfraud.in skipped
C:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\Dc9.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DANIGEP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT04427.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0442a.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\keykey.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\kkmon.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\slman.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
C:\_Régi gépröl\C\Program Files\KEYKEY\slview.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Mentés\_EmberDownload\kk2000.zip/keykey._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/keykey._nt Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/keykey._sy Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/kkdrv._dl Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/kkmon._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/Loadkk._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/LoadWin._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/sldrv._dl Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/slman._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/slview._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/Vkeykeyd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip/Vprotkkd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\Mentés\_EmberDownload\kk2000.zip ZIP: infected - 12 skipped
E:\Mentés\_EmberDownload\Video\DivXPro502GAINBundle.exe/Gain_Trickler.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
E:\Mentés\_EmberDownload\Video\DivXPro502GAINBundle.exe Vise: infected - 1 skipped
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip ZIP: infected - 3 skipped
E:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\De1.exe/Gain_Trickler.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
E:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\De1.exe Vise: infected - 1 skipped
E:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\De2.GIF Infected: Trojan-Spy.HTML.Bayfraud.in skipped
E:\RECYCLER\S-1-5-21-2000478354-920026266-839522115-1004\De3.GIF Infected: Trojan-Spy.HTML.Bayfraud.in skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\_EmberDownload\acdsee_pro8__keygen.ZIP/patch_.exe/data0002 Infected: Trojan-Clicker.Win32.VB.gl skipped
E:\_EmberDownload\acdsee_pro8__keygen.ZIP/patch_.exe Infected: Trojan-Clicker.Win32.VB.gl skipped
E:\_EmberDownload\acdsee_pro8__keygen.ZIP ZIP: infected - 2 skipped
E:\_EmberDownload\kk2000.zip/keykey._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/keykey._nt Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/keykey._sy Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/kkdrv._dl Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/kkmon._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/Loadkk._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/LoadWin._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/sldrv._dl Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/slman._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/slview._ex Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/Vkeykeyd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip/Vprotkkd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped
E:\_EmberDownload\kk2000.zip ZIP: infected - 12 skipped
E:\_EmberDownload\Nero-7.8.5.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
E:\_EmberDownload\Nero-7.8.5.0_eng_trial.exe RAR: infected - 1 skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/System-Info/Information/keyfinderpe/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/Network/netcat/files/nc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/Network/VNCServer/vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/Network/VNCServer/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar/plugin/Network/VNCServer/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\_EmberDownload\UBCD4WinV30.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\_EmberDownload\UBCD4WinV30.exe RarSFX: infected - 9 skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip ZIP: infected - 3 skipped
Scan process completed.
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 23:56:08, on 2007.06.17.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\PROGRA~1\MICROS~3\wcescomm.exe
E:\PROGRA~1\MICROS~3\rapimgr.exe
E:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Microsoft ActiveSync\wcesmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\_EmberDownload\Igo GPS térképcucc\Maploader_for_iGO_My_way_2006_Plus_Europe\maploader.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [cFosSpeed] E:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\PROGRA~1\MICROS~3\wcescomm.exe"
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Kutatás - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D71770-F8A7-47EF-BBCF-4AE7B8A11D7D}: NameServer = 194.149.0.157 194.149.0.156
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - E:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Seeing the Kaspersky report I deleted the recycle bin. The strange thing is, I neither seem to have a C:\recycler folder nor an e:\recycler folder. (Windows Explorer is set to SHOW hidden folders.)
best regards
Daniel
Hi
Logs look good :)
Still problems?
Dear Shaba,
no more popups, thanks.
Daniel
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.