PDA

View Full Version : Vcodec: please help


jazzm
2006-01-06, 04:28
Hello,

I can't get rid of Vcodec on win XP Pro. I've tried running SpyBot a couple times but it keeps coming back. I've also ran AdAware and AVG.

Yor help is greatly appreciated

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:46 PM, on 05/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\hjt\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pitchforkmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hp9B65.tmp (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c11.cab
O16 - DPF: {DE4735F3-7532-4895-93DC-911111111173} - http://afris.biz/ex.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A2A51E9-52B3-4EB8-9776-7417C155C07E}: NameServer = 206.123.6.11 206.123.6.10
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
LonnyRJones
2006-01-09, 09:35
Hello

Download smitRem.exe (http://noahdfear.geekstogo.com/click%20counter/click.php?id=1) and save the file to your desktop. (By noahdfear.)
Double click on the file to extract it to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite here:
install then from within the program check for updates BUT dont scan yet
ewido security suite: http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.
Do NOT run a scan yet.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, please reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Start Hijackthis and place a check next to these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hp9B65.tmp (file missing)
4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - hxxp://static.zangocash.com/cab/Zango/ie/bridge-c11.cab
O16 - DPF: {DE4735F3-7532-4895-93DC-911111111173} - hxxp://afris.biz/ex.exe
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - hxxp://66.230.146.53/EPlugin.cab
====================================
Hit fix checked and close Hijackthis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Spybot check for and fix any problems found.


Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Restart back to a normal windows session
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. click the apperence tab under Windows and buttons change it to Windows XP style > click apply and OK.

Get this free onlines scan and post the results
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
Post a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist
tashi
2006-01-12, 16:55
Hello jazzm, how is it going?
jazzm
2006-01-13, 01:16
Sorry for the delay! Seems like that worked. :) The kaspersky scan does not look good though!
Thank You, This is really appreciated.

Here are the logs:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 12/01/2006
The current time is: 0:28:47.78

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

netwrap.dll
wbeconm.dll
1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 772 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)






----------------------------------------------------------------------------


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:46:37 AM, 12/01/2006
+ Report-Checksum: 8DD6C319

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{29B25401-5964-022D-3AC2-C7207FEFF994} -> Spyware.CoolWebSearch : Cleaned with backup
C:\cmd.hta -> Trojan.HTA.Zones.a : Cleaned with backup
:mozilla.15:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.16:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.23:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.40:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.41:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.44:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.45:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.46:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.47:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.49:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.53:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.54:C:\Documents and Settings\sthilair\Application Data\Mozilla\Firefox\Profiles\zx4hnh3b.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.6:C:\Documents and Settings\sthilair\Application Data\Mozilla\Profiles\default\0yeo398z.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\sthilair\Application Data\Mozilla\Profiles\default\0yeo398z.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\sthilair\Application Data\Phoenix\Profiles\default\j2jnbjo1.slt\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.10:C:\Documents and Settings\sthilair\Application Data\Phoenix\Profiles\default\j2jnbjo1.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.11:C:\Documents and Settings\sthilair\Application Data\Phoenix\Profiles\default\j2jnbjo1.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.23:C:\Documents and Settings\sthilair\Application Data\Phoenix\Profiles\default\j2jnbjo1.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.28:C:\Documents and Settings\sthilair\Application Data\Phoenix\Profiles\default\j2jnbjo1.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-6b558204-3e4d44a8.class -> Trojan.Java.ClassLoader.f : Cleaned with backup
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4ffef27c-123054f3.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-60a30b26-3c9c5477.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-51cccb7c-71e9eb94.class -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-1b4d19b9-4e15a286.class -> Trojan.Java.Femad : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnCA95.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\WINDOWS\KB825119.log:ahaiu -> Downloader.Agent.pe : Cleaned with backup


::Report End



------------------------------------------------------------------------------------



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, January 12, 2006 09:38:40
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 12/01/2006
Kaspersky Anti-Virus database records: 170653
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 91164
Number of viruses found: 16
Number of infected objects: 40
Number of suspicious objects: 8
Duration of the scan process: 5679 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Search3.zip/mssvr.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Search3.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-253803cf-29d0bc27.class Infected: Trojan-Downloader.Java.OpenStream.y
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-455277fe-6b3dd0ac.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-455277fe-6b3dd0ac.zip/VB.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-455277fe-6b3dd0ac.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-455277fe-6b3dd0ac.zip Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1c4f5aab-5c5c328a.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1c4f5aab-5c5c328a.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1c4f5aab-5c5c328a.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1c4f5aab-5c5c328a.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-f336957-530deb2b.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-f336957-530deb2b.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-f336957-530deb2b.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-f336957-530deb2b.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-3d85b97e-4c1f980c.zip/Beyond.class Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-3d85b97e-4c1f980c.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-3d85b97e-4c1f980c.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-3d85b97e-4c1f980c.zip Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-24264c3f.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-24264c3f.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-24264c3f.zip Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv467.jar-1c6d66dc-41880a22.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv467.jar-1c6d66dc-41880a22.zip/Counter.class Infected: Trojan.Java.ClassLoader.h
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv467.jar-1c6d66dc-41880a22.zip/Parser.class Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\sthilair\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv467.jar-1c6d66dc-41880a22.zip Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\sthilair\Local Settings\Temp\keywordsinc.exe/data0003/data0003/data0001 Infected: Trojan-Downloader.NSIS.Agent.c
C:\Documents and Settings\sthilair\Local Settings\Temp\keywordsinc.exe/data0003/data0003 Infected: Trojan-Downloader.NSIS.Agent.c
C:\Documents and Settings\sthilair\Local Settings\Temp\keywordsinc.exe/data0003 Infected: Trojan-Downloader.NSIS.Agent.c
C:\Documents and Settings\sthilair\Local Settings\Temp\keywordsinc.exe Infected: Trojan-Downloader.NSIS.Agent.c
C:\Documents and Settings\sthilair\Local Settings\Temp\Rem22A.exe Suspicious: not-a-virus:AdWare.Win32.Lop
C:\Documents and Settings\sthilair\Local Settings\Temp\Rem22F.exe Suspicious: not-a-virus:AdWare.Win32.Lop
C:\Program Files\Microsoft SDK\Help\ShellCC.hxs/stream/platform/commctls/listview/messages/lvm_gettooltips.htm Suspicious: Trojan.Win32.Zapchast.al
C:\Program Files\Microsoft SDK\Help\ShellCC.hxs/stream/platform/commctls/listview/messages/lvm_settooltips.htm Suspicious: Trojan.Win32.Zapchast.al
C:\Program Files\Microsoft SDK\Help\ShellCC.hxs/stream Suspicious: Trojan.Win32.Zapchast.al
C:\Program Files\Microsoft SDK\Help\ShellCC.hxs Suspicious: Trojan.Win32.Zapchast.al
C:\WINDOWS\Ascd_tmp.ini:oykguz:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\DtcInstall.log:wtzyak:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\KB824141.log:zsjgkr:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\KB833987.log:titowp:$DATA Infected: Trojan-Downloader.Win32.Agent.pe
C:\WINDOWS\KB888302.log:axupzc:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\QTFont.for:wtyede:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\sessmgr.setup.log:ighypd:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\wtyed.dat:oqgnnw:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\_default.pif:aikkwd:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\_default.pif:ploevi:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\_default.pif:uodrzw:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\_default.pif:xldhdh:$DATA Infected: Trojan-Downloader.Win32.Agent.bq

Scan process completed.


---------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 9:40:52 AM, on 12/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pitchforkmedia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A2A51E9-52B3-4EB8-9776-7417C155C07E}: NameServer = 206.123.6.11 206.123.6.10
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
LonnyRJones
2006-01-14, 04:21
Hi
Download aboutbuster to your desktop,extract the files and run the program
http://www.downloads.subratam.org/AboutBuster.zip

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R3 - Default URLSearchHook is missing
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Clear Sunjava"s cache > control panel java-plugin > cache tab > hit clear!
Update suns java manualy
Sun Java V1.5.0_06 is Available: http://java.com/en/index.jsp
Afterwards Turn off it's auto-updater,(Its buggy) , in control panel java >
update tab uncheck its option to update automatically.
After you install the newer version its important to uninstall the old versions, via addremove programs.
Uninstall Acrobat reader 5.0 then get the latest version
(yoy cab Uncheck the yahoo toolbar and photoshop items)
http://www.adobe.com/products/acrobat/readstep2.html

Post a fresh hijackthis log and mention any current problems
jazzm
2006-01-16, 03:57
Thank you for all you help:bigthumb: . Here is my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:55:01 PM, on 15/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A2A51E9-52B3-4EB8-9776-7417C155C07E}: NameServer = 206.123.6.11 206.123.6.10
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
LonnyRJones
2006-01-16, 05:55
Looks good
Be sure to visit windows update now and every month
Are there any lingering problems ?
tashi
2006-01-22, 07:42
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please pm me.
Glad we could help.