js downloader.agent [Archive] - Safer-Networking Forums

skarraman

2007-11-07, 07:03

Yesterday I had AVG throw up a warning about being infected by "js downloader.agent".

After cleaning up thought everything would be okay but this afternoon the computer is starting to slow down and was wondering if anybody could help take a look at the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:53 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
D:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AstSrv.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
d:\Program Files\Complete Time Tracking Pro Server 2\server\bin\CTTproserver.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
D:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Complete Time Tracking Pro Server 2\CompleteTimeTrackingPro.exe
D:\Program Files\Complete Time Tracking Pro Server 2\CompleteTimeTrackingPro.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\Program Files\Groove Networks\Groove\Bin\Groove.exe
D:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Archives\Programs\Antivirus - Spyware\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DNS7reminder] "D:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CompleteTimeTrackingPro] "D:\Program Files\Complete Time Tracking Pro Server 2\CompleteTimeTrackingPro.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] d:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dragon NaturallySpeaking.lnk = D:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O4 - Global Startup: Groove Virtual Office.lnk = D:\Program Files\Groove Networks\Groove\Bin\Groove.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/AU/install.cab
O16 - DPF: {B7039D87-D648-4431-BA87-C3A04E6111DA} (wodTelnetDLX Class) - https://72.47.193.151:8443/vz/ssh/wodTelnetDLX.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444571540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apache2.2 - Apache Software Foundation - D:\xampp\apache\bin\apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\system32\AstSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Complete Time Tracking Pro Database Server (CTTProDB) - Backslash - d:\Program Files\Complete Time Tracking Pro Server 2\server\bin\CTTproserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Groove Audit Service (GrooveAuditService) - Groove Networks, Inc. - D:\Program Files\Groove Networks\Groove\Bin\GrooveAuditService.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - D:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: GrooveRunOnceInstaller - Groove Networks, Inc. - D:\Program Files\Groove Networks\Groove\Bin\GrooveRunOnceInstaller.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mysql - Unknown owner - D:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 14470 bytes

Mr_JAk3

2007-11-08, 20:48

Hello and welcome to the Forums :)

Let's run one scanner first...

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

skarraman

2007-11-09, 00:51

Wednesday, November 07, 2007 11:26:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/11/2007
Kaspersky Anti-Virus database records: 424747

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target Folders
C:\
D:\

Scan Statistics
Total number of scanned objects 506163
Number of viruses found 5
Number of infected objects 12
Number of suspicious objects 0
Duration of the scan process 03:50:39

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Backslash\Complete Time Tracking Pro\CompleteTimeTrackingPro.tdb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Groove Networks\Groove\accounts\ba2uh5p548v3ybcaurtwx49u9a7s3mcimpby5na\id.xss Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Groove Networks\Groove\accounts\ba2uh5p548v3ybcaurtwx49u9a7s3mcimpby5na\id_xss.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Groove Networks\Groove\accounts\summary.xss Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Groove Networks\Groove\accounts\summary_xss.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Groove Networks\Groove\accounts\z856cqbjra2ss7fwvhche5qwyn3cs9pqkzxsehs\id.xss Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Groove Networks\Groove\accounts\z856cqbjra2ss7fwvhche5qwyn3cs9pqkzxsehs\id_xss.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Groove Networks\Groove\groovemisc.xss Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Groove Networks\Groove\groovemisc_xss.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\3984 Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF746C.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFBDB3.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFBDBE.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked skipped

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked skipped

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked skipped

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{976809CD-0FFC-4863-83D8-18ABEA3EB5A5}\RP607\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\app_filter_ui.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\_nvidia_xxx_.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\Archives\Programs\Adobe\CS2PremDVD\QuickTime\QuickTime7ProCracking.exe/WINDOWS/system32/QuickTimeWebHelper.qtx Infected: Trojan.Win32.Pakes skipped

D:\Archives\Programs\Adobe\CS2PremDVD\QuickTime\QuickTime7ProCracking.exe ZIP: infected - 1 skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Permanent\groovebinaryfilestore.xss Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Permanent\groovecommunicationsservices.xss Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Permanent\groovecommunicationsservices_xss.log Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Permanent\groovedevice.xss Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Permanent\groovedevice_xss.log Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Permanent\groovefetchservices.xss Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Permanent\groovefetchservices_xss.log Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Temporary\csm.xss Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Temporary\csm_xss.log Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Temporary\groove.xss Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Temporary\groove_xss.log Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Temporary\_SystemInstall_\InstallQ.stg Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Groove Networks\Groove\Temporary\__XSSTemp__.xss Object is locked skipped

D:\email\Outlook Express\2005 Archives.dbx/[From support@alpineinternet.com.au=20][Date Tue, 6 Sep 2005 16:43:30 +1000]/lib2.zip/lib2.php Infected: Backdoor.PHP.C99Shell.i skipped

D:\email\Outlook Express\2005 Archives.dbx/[From support@alpineinternet.com.au=20][Date Tue, 6 Sep 2005 16:43:30 +1000]/lib2.zip Infected: Backdoor.PHP.C99Shell.i skipped

D:\email\Outlook Express\2005 Archives.dbx Mail MS Outlook 5: infected - 2 skipped

D:\Program Files\Complete Time Tracking Pro Server 2\server\EMEDIA.lck Object is locked skipped

D:\Program Files\Complete Time Tracking Pro Server 2\server\security.fdb Object is locked skipped

D:\Program Files\Groove Networks\Groove\Data\resources.xss Object is locked skipped

D:\RECYCLER\S-1-5-21-1960408961-1788223648-1801674531-1003\Dd478.bak/[From support@alpineinternet.com.au=20][Date Tue, 6 Sep 2005 16:43:30 +1000]/lib2.zip/lib2.php Infected: Backdoor.PHP.C99Shell.i skipped

D:\RECYCLER\S-1-5-21-1960408961-1788223648-1801674531-1003\Dd478.bak/[From support@alpineinternet.com.au=20][Date Tue, 6 Sep 2005 16:43:30 +1000]/lib2.zip Infected: Backdoor.PHP.C99Shell.i skipped

D:\RECYCLER\S-1-5-21-1960408961-1788223648-1801674531-1003\Dd478.bak Mail MS Outlook 5: infected - 2 skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{976809CD-0FFC-4863-83D8-18ABEA3EB5A5}\RP607\change.log Object is locked skipped

D:\wamp\www\Clients\Ballina Chamber of Commerce\New Folder\log.php Infected: Backdoor.PHP.C99Shell.w skipped

D:\wamp\www\Clients\Hortitrade\eBay Fraud\c99.php Infected: HackTool.PHP.Haxplorer.c skipped

D:\wamp\www\Clients\Hortitrade\eBay Fraud\funny.php Infected: Backdoor.PHP.KScr.b skipped

D:\wamp\www\Clients\Hortitrade\eBay Fraud\mail.php Infected: Backdoor.PHP.KScr.b skipped

D:\xampp\apache\logs\access.log Object is locked skipped

D:\xampp\apache\logs\error.log Object is locked skipped

D:\xampp\apache\logs\ssl_request.log Object is locked skipped

D:\xampp\mysql\data\emedia.err Object is locked skipped

Scan process completed.

skarraman

2007-11-09, 00:57

Thanks for looking at this for me.

The scans showed up a couple of PHP exploits that had been uploaded onto a few Web sites I look after that had been hacked over the years (I have kept them as a reference). I am not concerned about these files at the moment.

Dave

Mr_JAk3

2007-11-09, 21:20

OK if you know what those infections are...

D:\Archives\Programs\Adobe\CS2PremDVD\QuickTime\QuickTime7ProCracking.exe/WINDOWS/system32/QuickTimeWebHelper.qtx Infected: Trojan.Win32.Pakes skipped

D:\Archives\Programs\Adobe\CS2PremDVD\QuickTime\QuickTime7ProCracking.exe ZIP: infected - 1 skipped The usage of cracks, keygens etc is illegal and is an easy way to get infected. I'll recommend that you remove these immediately.

So how is the pc running? any issues?

skarraman

2007-11-10, 00:43

That is removed now. I had totally forgotten that it was there and actually never got round to using it in the first place.

The PC seems to be running okay at the moment, does it look clean to you?

Mr_JAk3

2007-11-10, 17:43

Hi :)

Yes looks clean if you really knew these: [quote]D:\email\Outlook Express\2005 Archives.dbx/[From support@alpineinternet.com.au=20][Date Tue, 6 Sep 2005 16:43:30 +1000]/lib2.zip/lib2.php Infected: Backdoor.PHP.C99Shell.i skipped
D:\email\Outlook Express\2005 Archives.dbx/[From support@alpineinternet.com.au=20][Date Tue, 6 Sep 2005 16:43:30 +1000]/lib2.zip Infected: Backdoor.PHP.C99Shell.i skipped
D:\RECYCLER\S-1-5-21-1960408961-1788223648-1801674531-1003\Dd478.bak/[From support@alpineinternet.com.au=20][Date Tue, 6 Sep 2005 16:43:30 +1000]/lib2.zip/lib2.php Infected: Backdoor.PHP.C99Shell.i skipped
D:\RECYCLER\S-1-5-21-1960408961-1788223648-1801674531-1003\Dd478.bak/[From support@alpineinternet.com.au=20][Date Tue, 6 Sep 2005 16:43:30 +1000]/lib2.zip Infected: Backdoor.PHP.C99Shell.i skipped
D:\RECYCLER\S-1-5-21-1960408961-1788223648-1801674531-1003\Dd478.bak Mail MS Outlook 5: infected - 2 skipped
D:\wamp\www\Clients\Ballina Chamber of Commerce\New Folder\log.php Infected: Backdoor.PHP.C99Shell.w skipped
D:\wamp\www\Clients\Hortitrade\eBay Fraud\c99.php Infected: HackTool.PHP.Haxplorer.c skipped
D:\wamp\www\Clients\Hortitrade\eBay Fraud\funny.php Infected: Backdoor.PHP.KScr.b skipped
D:\wamp\www\Clients\Hortitrade\eBay Fraud\mail.php Infected: Backdoor.PHP.KScr.b skipped [/quote

Leftover, Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe ;)

tashi

2007-11-20, 07:20

This topic has been moved to archives.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.

Thank you Mr_JAk3