PDA

View Full Version : pop up hell - browser hijackiing



chris
2005-12-16, 13:14
Greetings from Belgium,

After running "spybot", "ad aware", "MS antispy beta 1", "Norton Antivirus" and restoring my computer to earlier save point, I was able to remove a lot of junk already, but my browser is still acting up : connection to random sites, pop-ups, ...

Could you pls have a look at below "hijackthis" log and inform if could be done ? I would REALLY appreciate it ...

tia ...

Logfile of HijackThis v1.99.1
Scan saved at 12:00:01, on 16/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\User4\Mijn documenten\mijn downloads\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = betraconv.local
O17 - HKLM\Software\..\Telephony: DomainName = betraconv.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = betraconv.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = betraconv.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = betraconv.local
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

LonnyRJones
2005-12-18, 20:29
Hi chris, Welcome to the forum

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Find and delete
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

Post a fresh hijackthis log please, be sure to mention any current problems.

Also a report from this free online scan
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

chris
2005-12-19, 12:02
Hi Lonny,

thanks for your input : much appreciated :bigthumb: !
I did as you requested and here are the results :
Fresh Hijackthis.log first ... Kaspersky will follow in seperate message ...

Logfile of HijackThis v1.99.1
Scan saved at 9:58:54, on 19/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\User4\Mijn documenten\mijn downloads\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = betraconv.local
O17 - HKLM\Software\..\Telephony: DomainName = betraconv.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = betraconv.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = betraconv.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = betraconv.local
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

chris
2005-12-19, 12:04
Kaspersky part 1/2 as follows :

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, December 19, 2005 10:51:55
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 19/12/2005
Kaspersky Anti-Virus database records: 166060
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 62618
Number of viruses found: 22
Number of infected objects: 76
Number of suspicious objects: 9
Duration of the scan process: 2469 sec

Infected Object Name - Virus Name
C:\Documents and Settings\User4\Local Settings\Application Data\Identities\{65484710-5D57-4F16-BF4F-B331E6287137}\Microsoft\Outlook Express\nomira.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Wed, 18 Sep 2002 08:59:29 +0200]/UNNAMED/QI_TEST.EXE Infected: Email-Worm.Win32.MTX
C:\Documents and Settings\User4\Local Settings\Application Data\Identities\{65484710-5D57-4F16-BF4F-B331E6287137}\Microsoft\Outlook Express\nomira.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Wed, 18 Sep 2002 08:59:29 +0200]/UNNAMED Infected: Email-Worm.Win32.MTX
C:\Documents and Settings\User4\Local Settings\Application Data\Identities\{65484710-5D57-4F16-BF4F-B331E6287137}\Microsoft\Outlook Express\nomira.dbx Infected: Email-Worm.Win32.MTX
C:\Documents and Settings\User4\Local Settings\Application Data\Identities\{65484710-5D57-4F16-BF4F-B331E6287137}\Microsoft\Outlook Express\sinochem liaoning.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Mon, 5 Jan 2004 09:40:48 +0100]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\User4\Local Settings\Application Data\Identities\{65484710-5D57-4F16-BF4F-B331E6287137}\Microsoft\Outlook Express\sinochem liaoning.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Mon, 5 Jan 2004 09:40:48 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\User4\Local Settings\Application Data\Identities\{65484710-5D57-4F16-BF4F-B331E6287137}\Microsoft\Outlook Express\sinochem liaoning.dbx Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\User4\Mijn documenten\e-mail mappen ME\nomira.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Wed, 18 Sep 2002 08:59:29 +0200]/UNNAMED/QI_TEST.EXE Infected: Email-Worm.Win32.MTX
C:\Documents and Settings\User4\Mijn documenten\e-mail mappen ME\nomira.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Wed, 18 Sep 2002 08:59:29 +0200]/UNNAMED Infected: Email-Worm.Win32.MTX
C:\Documents and Settings\User4\Mijn documenten\e-mail mappen ME\nomira.dbx Infected: Email-Worm.Win32.MTX
C:\Documents and Settings\User4\Mijn documenten\e-mail mappen ME\sinochem liaoning.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Mon, 5 Jan 2004 09:40:48 +0100]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\User4\Mijn documenten\e-mail mappen ME\sinochem liaoning.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Mon, 5 Jan 2004 09:40:48 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\User4\Mijn documenten\e-mail mappen ME\sinochem liaoning.dbx Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\User4\Mijn documenten\overgezet van vorige computer\outlook express bestanden\nomira.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Wed, 18 Sep 2002 08:59:29 +0200]/UNNAMED/QI_TEST.EXE Infected: Email-Worm.Win32.MTX
C:\Documents and Settings\User4\Mijn documenten\overgezet van vorige computer\outlook express bestanden\nomira.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Wed, 18 Sep 2002 08:59:29 +0200]/UNNAMED Infected: Email-Worm.Win32.MTX
C:\Documents and Settings\User4\Mijn documenten\overgezet van vorige computer\outlook express bestanden\nomira.dbx Infected: Email-Worm.Win32.MTX
C:\Documents and Settings\User4\Mijn documenten\overgezet van vorige computer\outlook express bestanden\sinochem liaoning.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Mon, 5 Jan 2004 09:40:48 +0100]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\User4\Mijn documenten\overgezet van vorige computer\outlook express bestanden\sinochem liaoning.dbx/[From "Kris Van Goethem" <betraco@betraco.be>][Date Mon, 5 Jan 2004 09:40:48 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\User4\Mijn documenten\overgezet van vorige computer\outlook express bestanden\sinochem liaoning.dbx Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\14F05BCA.fr2 Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\14F05BCA.fr7 Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\17E64163.exe Infected: Packed.Win32.Klone.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18482CF7.exe Infected: Trojan-Downloader.Win32.Small.buh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18482CF7.txt Infected: Trojan-Downloader.Win32.Small.buh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184C56F4.exe Infected: Trojan-Downloader.Win32.Small.buh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184C56F4.txt Infected: Trojan-Downloader.Win32.Small.buh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184F00F0.exe Infected: Trojan-Downloader.Win32.Small.buh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184F00F0.txt Infected: Trojan-Downloader.Win32.Small.buh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1BD22B11.exe Infected: Trojan.Win32.StartPage.agi
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20213770.exe Infected: Trojan-Downloader.Win32.Small.buh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20213770.txt Infected: Trojan-Downloader.Win32.Small.buh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\47303B59.exe Infected: Trojan-Downloader.Win32.Adload.l
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\47336556.exe Infected: Trojan-Downloader.Win32.Small.buy
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\47360F52.exe Infected: Trojan-Downloader.Win32.TSUpdate.o
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\473A394F.exe Infected: not-virus:Hoax.Win32.Renos.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\473D634B.exe Infected: Trojan-Downloader.Win32.TSUpdate.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\47433744.exe Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\56906C6C.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\64225D80.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\65E9156F.exe Infected: Trojan-Downloader.Win32.Small.buh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\65E9156F.txt Infected: Trojan-Downloader.Win32.Small.buh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C405394.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720365EF.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720365EF.exe Infected: not-virus:Hoax.Win32.Renos.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\72060FEB.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab

chris
2005-12-19, 12:05
Kaspersky part 2/2 as follows :

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\72060FEB.exe Infected: Trojan-Downloader.Win32.TSUpdate.l
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720A39E8.exe Infected: Trojan-Downloader.Win32.TSUpdate.n
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77D00F93.exe Infected: Trojan.Win32.StartPage.aw
C:\RECYCLER\S-1-5-21-2767447172-1230933106-4247140004-1139\Dc4.dll Infected: Trojan-PSW.Win32.Sinowal.a
C:\RECYCLER\S-1-5-21-2767447172-1230933106-4247140004-1139\Dc5.exe Infected: Trojan-Spy.Win32.Small.dg
C:\RECYCLER\S-1-5-21-2767447172-1230933106-4247140004-1139\Dc6.dll Infected: Trojan-Spy.Win32.Small.dg
C:\secure-32.html Infected: not-virus:Hoax.Win32.Renos.y
C:\secure32.html Infected: not-virus:Hoax.Win32.Renos.y
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP275\A0076430.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP275\A0076662.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP275\A0076664.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP275\A0076687.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP276\A0076695.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP276\A0076705.exe Infected: Trojan-Downloader.Win32.TSUpdate.n
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP276\A0076706.exe Infected: Trojan-Downloader.Win32.TSUpdate.l
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP276\A0076707.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP276\A0076708.exe Infected: not-virus:Hoax.Win32.Renos.ae
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP276\A0076709.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP276\A0076722.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP276\A0076723.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP276\A0076733.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP277\A0076736.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP277\A0076751.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP278\A0076755.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP278\A0076756.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP278\A0076793.exe Infected: not-a-virus:AdWare.Win32.Zestyfind
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP278\A0076796.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP279\A0076936.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP279\A0076937.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP279\A0076960.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{33AFBE27-126D-4274-90DD-0D047E48422F}\RP281\A0077286.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\kl.exe Infected: Trojan-Spy.Win32.Small.dg
C:\WINDOWS\secure32.html Infected: not-virus:Hoax.Win32.Renos.y
C:\WINDOWS\SYSTEM32\df32gt.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\SYSTEM32\guard.tmp Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\SYSTEM32\ktnol7531.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\SYSTEM32\mv2ol9f31.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\SYSTEM32\p26s0cj7efo.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\SYSTEM32\p2p60c7sef.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\SYSTEM32\pjdkdll.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\SYSTEM32\scmt16.exe Infected: Trojan-Downloader.Win32.PassAlert.d

Scan process completed.

chris
2005-12-19, 12:39
Lonny,

the internet connections made without my knowledge seem to have stopped.
I no longer get annoying pop-ups on my desktop, neither ... great ! Thank you !

However, the Kaspersky result is still worrying me (except from the files in Norton quarantine, which are contained already and can be easily deleted) ... Although Norton AV currently gives me a clean bill of health, wouldn't it be better to shred these Kaspersky items anyway ?

Thanks
B. Rgds.

chris
2005-12-19, 14:00
Lonny,

when trying to connect to my mailbox online, I find that when I enter my login and password, I always return to the same logon screen : I cannot get acces.

when comparing with clean PC (easily granting me access), following are the connection entries on my infected PC, which do not show on the clean PC :

m2.2mdn.net (80.15.238.8)
ad.be.doubleclick.net (195.154.195.51)
line18.metriweb.be (212.35.126.168)

can this be related to the Kaspersky problem items ?

Thanks & B. Rgds.
Chris

LonnyRJones
2005-12-19, 14:15
Hi

Manualy delete these files
C:\secure-32.html
C:\secure32.html
C:\WINDOWS\kl.exe
C:\WINDOWS\secure32.html
C:\WINDOWS\SYSTEM32\df32gt.dll
C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\ktnol7531.dll
C:\WINDOWS\SYSTEM32\mv2ol9f31.dll
C:\WINDOWS\SYSTEM32\p26s0cj7efo.dll
C:\WINDOWS\SYSTEM32\p2p60c7sef.dll
C:\WINDOWS\SYSTEM32\pjdkdll.dll
C:\WINDOWS\SYSTEM32\scmt16.exe
How did that go ?

Open outlook and delete all deleted and stored emails for all the acconts

any problems ?

chris
2005-12-19, 17:01
Lonny,

i deleted all the files ... none re-appeared after restart.

As for the problem accessing my mail online, that was due to the fact that I had set cookie policy as "block all cookies" (because of the malware and spyware that was hurting me). I've piped it down again and can access it without any problem. Sorry about that ...

I think I'm in the clear and THANK YOU VERY MUCH FOR YOUR ASSISTANCE !

Keep up the great work and a :bighug: to the entire team

LonnyRJones
2005-12-19, 21:03
Post back in a few days to let us know how things are

In the meantime go Update suns java manualy
Sun Java V1.5.0_06 is Available: http://java.com/en/index.jsp
Afterwards Turn off it's auto-updater,(Its buggy) , in control panel java >
update tab uncheck its option to update automatically.
After you install the newer version its important to uninstall the old versions, via addremove programs.

chris
2005-12-20, 19:01
Hi Lonny,

first of all I did as you advised and update Sun Java to the latest version, disabling the auto-update, and removing previous versions ...

I disabled system-restore to get rid of infected files in the hidden "system volume information" folder

I cleaned all cache files, emptied the bin and rebooted ... and look what I can send you now : thanks to you I haven't got a care in the world now :D :

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, December 20, 2005 17:45:38
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/12/2005
Kaspersky Anti-Virus database records: 166402
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 45178
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 2087 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.


In my book, you're the man, you're :cool: , you're an :angel: ... sorry if i get a bit carried away here, but a simple thanks doesn't seem enough ...

Chris.

LonnyRJones
2005-12-20, 21:07
Looks great

Be sure to turn on system restore again if you havent already.

Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly
How did that go ?
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

chris
2005-12-21, 12:40
Hi again, Lonny,

:o thanks for reminding me about the system restore : active again ...
I hadn't even heard of a hosts file ... I read up on it and indeed replaced it : al I had listed was :

127.0.0.1 localhost
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com
127.0.0.1 idownload.com
127.0.0.1 www.mytotalsearch.com
127.0.0.1 mytotalsearch.com
127.0.0.1 www.lop.com
127.0.0.1 lop.com
127.0.0.1 www.websearch.com
127.0.0.1 websearch.com
127.0.0.1 www.page-not-found.net
127.0.0.1 page-not-found.net
127.0.0.1 www.isearchhere.com
127.0.0.1 isearchhere.com
127.0.0.1 as.adwave.com
127.0.0.1 sr.adwave.com
127.0.0.1 www.adwave.com
127.0.0.1 adwave.com EVENT:HOST:127.0.0.1
127.0.0.1 www.pacimedia.com
127.0.0.1 www.exactsearch.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net

I had already visited the "So, how did I get infected in the first place" thread, which is indeed very informative and from which I copied most (if not all) of the recommended settings onto my computer : mulltiple layers of protection are now activated and I also took the Jason's toolbox test (twice) and only problem I till have is with Java, which can send me to another page or keep me on the same page at will and for which "there is no cure short of disabling Java altoghether" ...

As for the computer itself, no problems any longer, but it slowed down a bit, and I hope it will improve once I clean up the registry and defragment ...

Thank you again for sharing your knowledge with less informed users. I will send a link to your "So, how did I get infected in the first place" to my closest friends/relatives, recommending them to spend some time on the forums to pick up some knowledge and to check/improve their own protection ....

I got infected from a ligit looking site, redirecting me to god knows where and producing a pop up with horizontal rows of multi-coloured small stripes on it - no text at al ; when I clicked the cross at the top right hand side to close the pop-up, another small window opened, informing me that changes were being made to IE ... it only took a few seconds, there wasn't even time to interrupt the internet connection and then i was in pop-up hell. I'm gratefull for my much improved protection now, but I don't think I will ever surf the net as relaxed as before, though ...

Chris

LonnyRJones
2005-12-23, 03:43
Im Glad we could help Chris
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let me know.

chris
2006-01-20, 19:52
Dear Lonny,

I tuned my relatives in to your "so how did i get infected in the first place" and i'm sorry to have to return to you with this case : extreme slowdown of laptop after cleaning with spybot (although the update download always results in "bad checksum", so not the latest definitions), ad aware, norton antivirus

please take a look at hijackthis.log and kaspersky.text scan and see if you can guide me back to the light ...

TIA

PS : you've done it once before for me personally and I have a good feeling already knowing that you guys will be on the case ... keep up the good work : you're doing a great ! job.

here goes ...

Logfile of HijackThis v1.99.1
Scan saved at 18:25:41, on 20/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\fxredir.exe
C:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\De Smedt Alice\Mijn documenten\downloads van internet\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O3 - Toolbar: (no name) - {0E677229-E309-4341-81BD-3CC3018BF5B3} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Search Using Copernic Meta - res://C:\WINDOWS\Downloaded Program Files\CopernicMeta.dll/HTML/SearchExt
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

KASPERSKY scan results as follows :

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 20, 2006 18:20:37
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/01/2006
Kaspersky Anti-Virus database records: 172098
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 44537
Number of viruses found: 19
Number of infected objects: 89
Number of suspicious objects: 0
Duration of the scan process: 3897 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Stanny Van Goethem\Menu Start\Programma's\Opstarten\DLHelperEXE.exe Infected: not-a-virus:AdWare.Win32.Thumper.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0196374A.tmp Infected: Email-Worm.Win32.Bagle.eg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02AB3A4F.exe Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07763602.cla Infected: Trojan.Java.ClassLoader.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\077E568A.tmp Infected: Email-Worm.Win32.Bagle.cu
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09E861DD.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C4A08A5.tmp Infected: Email-Worm.Win32.Bagle.eg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C954E53.tmp Infected: Email-Worm.Win32.Bagle.eg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\12523F6A.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\15781DDB.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\16B4371F.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\19DE10FA.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1D9B2FC9.exe/PgSDK.DLL Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1D9B2FC9.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1D9E59C5.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DA203C1.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DA52DBE.dll Infected: Trojan.Win32.Dialer.cp
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DA52DBE.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DA857BA.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DAC01B7.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DAF2BB3.tmp Infected: Trojan-Downloader.Win32.Wintool.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DB255AF.tmp Infected: Trojan-Downloader.Win32.Wintool.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DB57FAC.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DB929A8.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DBC53A5.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DBF7DA1.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DC2279D.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DC6519A.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DC97B96.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DCC2593.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20936362.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\210959DA.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27B3355D.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2C9915D9.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2CFF0BE0.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\365E1689.tmp/[From webmaster@brugge.hcw.be][Date Fri, 06 May 2005 18:11:43 GMT]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\365E1689.tmp Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\382951D7.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\388F47DF.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3A474EAD.tmp Infected: Email-Worm.Win32.Bagle.pac
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3A9D4EC1.tmp Infected: Trojan-Downloader.Win32.Wintool.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F2C3922.tmp/[From webmaster@brugge.hcw.be][Date Fri, 06 May 2005 18:11:43 GMT]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F2C3922.tmp Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F5A04EF.tmp/[From t.laethem@pandora.be][Date Sat, 07 May 2005 13:49:29 UTC]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F5A04EF.tmp Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F672CE1.tmp/[From ann.claessen@skynet.be][Date Sun, 08 May 2005 15:19:51 UTC]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F672CE1.tmp Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F7B28CB.tmp/[From root@srv101.14theweb.be][Date Mon, 09 May 2005 08:49:40 UTC]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F7B28CB.tmp Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4199072A.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\41BD20BD.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42B33EF9.cla Infected: Trojan.Java.ClassLoader.h
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\442003DE.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4463551C.tmp/[From webmaster@brugge.hcw.be][Date Fri, 06 May 2005 18:11:43 GMT]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4463551C.tmp Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\48DE72B8.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4FB03FDC.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4FFE44B4.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\571E16B0.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\59A221BC.cla Infected: Trojan.Java.ClassLoader.u
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\59AC1FB1.exe Infected: Trojan-Downloader.Win32.Small.bmk
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B407BDB.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B5D48EE.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C5C18E6.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5D7373A7.exe Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5D771DA3.exe Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5D7A479F.exe Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5D7D719C.exe Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5D801B98.exe Infected: Trojan.Win32.Dialer.dv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5D920731.cla Infected: Trojan.Java.ClassLoader.u
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5EC0661B.jar/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5EC0661B.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5EC0661B.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5EC0661B.jar Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\661264DC.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66D137D9.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67372DE1.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A083013.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7128020F.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\726173D8.tmp Infected: Trojan-Downloader.Win32.Wintool.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7848540B.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7E5825DE.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7E634DFD.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p
C:\RECYCLER\S-1-5-21-793999233-1815002781-3652652152-1007\Dc2.cab/speer.dll Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\RECYCLER\S-1-5-21-793999233-1815002781-3652652152-1007\Dc2.cab Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\WINDOWS\SYSTEM32\fcithx.dll Infected: Email-Worm.Win32.Tanatos.b.dam2
C:\WINDOWS\SYSTEM32\ntopengl.exe Infected: Trojan.Win32.Dialer.cp
C:\WINDOWS\SYSTEM32\onckpdp.dll Infected: Email-Worm.Win32.Tanatos.b.dam2
C:\WINDOWS\SYSTEM32\rcron.exe Infected: Trojan.Win32.Dialer.cp

Scan process completed.

LonnyRJones
2006-01-20, 20:46
Hi Chris

This is the same pc correct ?

See here about the "bad checksum" message
http://www.safer-networking.org/en/faq/20.html

Did selecting another server help ?


Manualy delete these files , carefull exact speeling counts.
C:\Documents and Settings\Stanny Van Goethem\Menu Start\Programma's\Opstarten\DLHelperEXE.exe
C:\WINDOWS\SYSTEM32\fcithx.dll
C:\WINDOWS\SYSTEM32\ntopengl.exe
C:\WINDOWS\SYSTEM32\onckpdp.dll
C:\WINDOWS\SYSTEM32\rcron.exe

How did that go ?

Download "save" winpfind.zip By OldTimer, from
http://www.bleepingcomputer.com/files/winpfind.php
extract the file inside to the desktop open the winpfind folder run the file
winpfind.exe click scan, post the results.

chris
2006-01-23, 19:28
Hi again, Lonny,

it's a different computer : my mom's laptop ... that's why I started a new thread.

None of the Spybot servers got me the update this time ... I updated with the .exe and ran it again : I got rid of 8 nasties that way.

deleted all the files as suggested.

scan result as attached.

THANKS
Chris

LonnyRJones
2006-01-23, 19:42
Ok differant PC

Go here and submit
C:\WINDOWS\SYSTEM32\web.exe
http://www.virustotal.com/flash/index_en.html

Fix these items with hiajckthis
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O3 - Toolbar: (no name) - {0E677229-E309-4341-81BD-3CC3018BF5B3} - (no file)
===================================
The SpyBot update problems are probaly do to improper proxy settings
http://www.safer-networking.org/en/faq/10.html

Or ssd Got set to use them and they arent needed
http://www.safer-networking.org/en/howto/proxy.html

Are there any problems besides that ?

chris
2006-01-26, 10:19
Lonny,

system32/web.exe result as follows :

This is a report processed by VirusTotal on 01/26/2006 at 09:15:10 (CET) after scanning the file "web.exe" file.
Antivirus Version Update Result
AntiVir 6.33.0.77 01.26.2006 no virus found
Avast 4.6.695.0 01.25.2006 no virus found
AVG 718 01.25.2006 no virus found
Avira 6.33.0.77 01.25.2006 no virus found
BitDefender 7.2 01.26.2006 no virus found
CAT-QuickHeal 8.00 01.25.2006 no virus found
ClamAV devel-20051123 01.26.2006 Dialer-159
DrWeb 4.33 01.25.2006 DLOADER.Trojan
eTrust-InoculateIT 23.71.60 01.25.2006 no virus found
eTrust-Vet 12.4.2056 01.25.2006 no virus found
Ewido 3.5 01.25.2006 no virus found
Fortinet 2.54.0.0 01.26.2006 no virus found
F-Prot 3.16c 01.25.2006 no virus found
Ikarus 0.2.59.0 01.25.2006 no virus found
Kaspersky 4.0.2.24 01.26.2006 no virus found
McAfee 4682 01.25.2006 potentially unwanted program Dialer-Generic
NOD32v2 1.1380 01.25.2006 a variant of Win32/Dialer.CP
Norman 5.70.10 01.25.2006 no virus found
Panda 9.0.0.4 01.25.2006 Suspicious file
Sophos 4.01.0 01.26.2006 no virus found
Symantec 8.0 01.26.2006 no virus found
TheHacker 5.9.3.081 01.26.2006 Dialer/Generic
UNA 1.83 01.25.2006 no virus found
VBA32 3.10.5 01.25.2006 no virus found

fixed the 3 entries with Hijackthis ...

can something be done to clean up the registry ? It takes an awfully long time to start up or shut down ...

Tia !
Chris

LonnyRJones
2006-01-26, 10:46
Hi
Delete that web.exe file
Programs to cleanup the the registry are risky and usualy couse more problems and would probaly have no effect on the startup and shutdown speeds
Probaly the best thing you could do is exchange norton for another program

Since a email worm was in the Kaspersky log i suggest runng a few more online scans

Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Save the report and post it back here please if there are any that it is unable to deal with.

TrendMicro™ HouseCall Java Scan

Please go HERE (http://www.trendmicro.com/hc_intro/default.asp) to run the Trend Micro™ HouseCall Scan.
Click Scan now. It's free!
Read and put a Check next to Yes I accept the terms of use.
Click the Launching HouseCall>> button.
If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
You may receive a Security Warning about the TrendMicro Java applet, click YES.
Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
Please be patient while it installs, updates, and scans your system.
Once the scan is complete, it will take you to the summary page.
Under Cleanup options, choose clean all detected infections automatically.
Click the Clean now>> button.
If anything was found you will prompted to run the scan again, you can just close the browser window.

chris
2006-01-28, 14:03
Ok, Lonny, here goes :

web.exe wiped

activescan attached

trendmicro scan yielded 9 infections : all removed.

in stead of norton : kaspersky or other ?

Tia

LonnyRJones
2006-01-28, 14:21
delete C:\WINDOWS\run.cxq if you havent already

If your pc is problem free now
Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

tashi
2006-02-03, 19:03
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please pm LonnyRJones.

Glad we could help and thank you Lonny. :)