Page 1 of 4 1234 LastLast
Results 1 to 10 of 31

Thread: HIJACKTHIS log attached - Recently attacked by Trojan.Dropper.. run

  1. 2006-09-17, 12:10 #1
    cflannagan
    cflannagan is offline
    Junior Member
    Join Date
    Sep 2006
    Posts
    19

    Default HIJACKTHIS log attached - Recently attacked by Trojan.Dropper.. run

    Ran both Adware SE and Spybot S&D.. fully updated, fully immunized.. ran Spybot S&D in safe mode as well. Thought all was well until I came back online and a browser window popped up advertising some kind of cell phone.

    Here is my HijackThis log

    Logfile of HijackThis v1.99.1
    Scan saved at 2:45:32 AM, on 9/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\Program Files\Common Files\{4062BE82-072D-1033-1205-030523010001}\Update.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
    F2 - REG:system.ini: UserInit=userinit.exe
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/Vid...etup/setup.cab
    O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\kt0ql7d51.dll
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
    O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
  2. 2006-09-17, 12:15 #2
    Rawe
    Rawe is offline
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    Welcome aboard

    Please download Combofix to your desktop:
    • Double-click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Post that log in your next reply.


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    Hi there, stranger!

    Proud Member of ASAP since 2005.
  3. 2006-09-17, 12:32 #3
    cflannagan
    cflannagan is offline
    Junior Member
    Join Date
    Sep 2006
    Posts
    19

    Default

    Here you go - I think the popups might have stopped..

    Shall I post a new HJT as well? Thanks by the way!



    Craig Flannagan - 06-09-17 3:26:21.00 Service Pack 2
    ComboFix 06.09.14 - Running from: C:\Documents and Settings\Craig Flannagan\Desktop

    ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

    REGISTRY ENTRIES REMOVED:

    [HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}\InprocServer32]
    @="C:\\WINDOWS\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    FILES REMOVED:

    C:\WINDOWS\system32\jt6407jqe.dll
    C:\WINDOWS\system32\kt0ql7d51.dll
    C:\WINDOWS\system32\wgnsta.dll
    C:\WINDOWS\system32\guard.tmp


    Granting sedebugprivilege to Administrators ... successful


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\cfg32.exe
    C:\WINDOWS\system32\crunner
    C:\Program Files\Common Files\{4062BE82-072D-1033-1205-030523010001}

    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    Folders Quarantined:

    C:\QooBox\Purity\Documents and Settings\Craig Flannagan\Application Data\CURITY~1
    C:\QooBox\Purity\WINDOWS\system32\RACLE~1


    ((((((((((((((((((((((((((((((( Files Created from 2006-08-17 to 2006-09-17 ))))))))))))))))))))))))))))))))))


    2006-09-17 03:17 40,960 --a------ C:\Look2Me-Destroyer.exe
    2006-09-17 00:08 240,000 -r-hs---- C:\WINDOWS\eenyseaA.exe
    2006-09-17 00:07 1,147,824 -r-hs---- C:\WINDOWS\eenysea.exe
    2006-08-31 00:40 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
    2006-08-29 21:41 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-09-17 03:26 -------- d-------- C:\Program Files\Common Files
    2006-09-17 02:01 -------- d-------- C:\Program Files\MSN Gaming Zone
    2006-09-17 01:43 -------- d-------- C:\Program Files\Lavasoft
    2006-09-17 01:43 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Lavasoft
    2006-09-17 00:10 -------- d-------- C:\Program Files\PartyPoker
    2006-09-17 00:07 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
    2006-09-17 00:07 -------- d-------- C:\Program Files\NetMeeting
    2006-09-17 00:07 -------- d-------- C:\Program Files\Internet Explorer
    2006-09-16 22:37 -------- d-------- C:\Program Files\Mozilla Firefox
    2006-09-08 22:17 -------- d-------- C:\Program Files\Lumigent
    2006-09-07 07:31 -------- d-------- C:\Program Files\Symantec
    2006-09-05 19:21 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-09-05 19:21 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Symantec
    2006-09-03 21:07 -------- d---s---- C:\Documents and Settings\Craig Flannagan\Application Data\Microsoft
    2006-09-01 20:02 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Azureus
    2006-09-01 17:21 -------- d-------- C:\Program Files\Azureus
    2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
    2006-08-30 23:28 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\AdobeUM
    2006-08-29 21:41 -------- d-------- C:\Program Files\Railroad Tycoon 3
    2006-08-29 21:34 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-08-29 21:33 -------- d-------- C:\Program Files\Common Files\InstallShield
    2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
    2006-08-14 17:52 78848 --a------ C:\WINDOWS\system32\nsc2FF.dll
    2006-08-14 17:52 78848 --a------ C:\WINDOWS\system32\nsc299.dll
    2006-08-08 23:17 -------- d-------- C:\Program Files\VoxCode
    2006-08-08 23:01 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
    2006-08-08 22:58 -------- d-------- C:\Program Files\Microsoft SQL Server
    2006-08-08 22:48 -------- d-------- C:\Program Files\SQLXML 4.0
    2006-08-08 22:38 -------- d-------- C:\Program Files\Microsoft Analysis Services
    2006-08-08 22:23 -------- d-------- C:\Program Files\IGN
    2006-08-08 22:12 -------- d-------- C:\Program Files\Crimson Editor
    2006-08-08 22:11 -------- d-------- C:\Program Files\Macromedia
    2006-08-08 22:11 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Macromedia
    2006-08-08 21:46 -------- d-------- C:\Program Files\MSDN
    2006-08-08 21:42 -------- d-------- C:\Program Files\Microsoft.NET
    2006-08-08 21:41 -------- d-------- C:\Program Files\Microsoft Device Emulator
    2006-08-08 21:40 -------- d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
    2006-08-08 21:33 -------- d-------- C:\Program Files\MSBuild
    2006-08-08 21:33 -------- d-------- C:\Program Files\Microsoft Visual Studio 8
    2006-08-08 21:33 -------- d-------- C:\Program Files\HTML Help Workshop
    2006-08-08 21:32 -------- d-------- C:\Program Files\Common Files\Merge Modules
    2006-08-08 21:26 -------- d-------- C:\Program Files\Common Files\Business Objects
    2006-08-08 21:24 -------- d-------- C:\Program Files\CE Remote Tools
    2006-08-08 21:22 -------- d-------- C:\Program Files\Microsoft Office
    2006-08-07 08:17 61440 --a------ C:\WINDOWS\system32\BattyRun2.dll
    2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-07-26 18:46 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Mozilla
    2006-07-25 00:39 -------- d-------- C:\Program Files\Messenger
    2006-07-25 00:38 -------- d-------- C:\Program Files\Windows Media Player
    2006-07-25 00:35 -------- d-------- C:\Program Files\Outlook Express
    2006-07-25 00:35 -------- d-------- C:\Program Files\Common Files\System
    2006-07-24 22:41 -------- d-------- C:\Program Files\D-Link
    2006-07-24 22:41 -------- d-------- C:\Program Files\ANI
    2006-07-24 22:21 -------- d-------- C:\Program Files\Movie Maker
    2006-07-24 22:16 -------- d-------- C:\Program Files\Windows NT
    2006-07-24 22:07 -------- d-------- C:\Program Files\Google
    2006-07-24 21:44 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\POPFile
    2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
    2006-07-19 00:19 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
    2006-06-21 22:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
    2006-06-21 22:06 1435648 --a------ C:\WINDOWS\system32\query.dll
    2006-06-19 13:39 139264 --a------ C:\WINDOWS\876056.exe


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vptray"="C:\\Program Files\\NavNT\\vptray.exe"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
    "type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
    "D-Link RangeBooster G WDA-2320"="C:\\Program Files\\D-Link\\RangeBooster G WDA-2320\\AirPlusCFG.exe"
    "ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
    "nwiz"="nwiz.exe /install"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000000

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="C:\\Program Files\\NetMeeting\\podoci.html"
    "SubscribedURL"=""
    "FriendlyName"=""
    "Flags"=dword:00002000
    "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
    03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
    "CurrentState"=dword:40000001
    "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
    00,00,01,00,00,00
    "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
    "Source"="C:\\Program Files\\Internet Explorer\\mebezane.html"
    "SubscribedURL"=""
    "FriendlyName"=""
    "Flags"=dword:00002000
    "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
    03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
    "CurrentState"=dword:40000001
    "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
    00,00,01,00,00,00
    "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,ec,\
    03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=dword:40000004
    "OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
    00,00,04,00,00,40
    "RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp psc 1000 series.lnk"
    "backup"="C:\\WINDOWS\\pss\\hp psc 1000 series.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hpohmr08.exe "
    "item"="hp psc 1000 series"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hpoddt01.exe.lnk"
    "backup"="C:\\WINDOWS\\pss\\hpoddt01.exe.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hpotdd01.exe "
    "item"="hpoddt01.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^odduo.exe]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\odduo.exe"
    "backup"="C:\\WINDOWS\\pss\\odduo.exeCommon Startup"
    "location"="Common Startup"
    "command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\odduo.exe"
    "item"="odduo"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run POPFile.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Run POPFile.lnk"
    "backup"="C:\\WINDOWS\\pss\\Run POPFile.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\POPFile\\RUNPOP~1.EXE /startup"
    "item"="Run POPFile"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Configuration Manager]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="cfg32"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\cfg32.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ctfmon.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ctfmon"
    "hkey"="HKCU"
    "command"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="dfndrff_e5"
    "hkey"="HKLM"
    "command"="c:\\\\dfndrff_e5.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\eenyseaA]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="eenyseaA"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\eenyseaA.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="optimize"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="iTunesHelper"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="kybrdff_e5"
    "hkey"="HKLM"
    "command"="c:\\\\kybrdff_e5.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\loaddr]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="topaff"
    "hkey"="HKLM"
    "command"="c:\\topaff.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechSoftwareUpdate]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ManifestEngine"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoRepair]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ISStart"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoTray]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="LogiTray"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LVCOMSX]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="LVCOMSX"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="nwnmff_e5"
    "hkey"="HKLM"
    "command"="c:\\\\nwnmff_e5.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="NvCpl"
    "hkey"="HKLM"
    "command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="NVMCTRAY"
    "hkey"="HKCU"
    "command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NVMCTRAY.DLL,NvTaskbarInit"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="nwiz"
    "hkey"="HKLM"
    "command"="nwiz.exe /install"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSCloner]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="PSCloner"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\PSCloner\\PSCloner.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\septpop06apsept]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="septpop06apsept"
    "hkey"="HKLM"
    "command"="c:\\program files\\popupwithcast\\septpop06apsept.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ToolbarInstall]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="MirarSetup_876057"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\MirarSetup_876057.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
    "Windows Overlay Components"=dword:00000002
    "cmdService"=dword:00000002


    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
    securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1091233308.job

    Completion time: Sun 09/17/2006 3:28:34.67
    ComboFix.txt
  4. 2006-09-17, 12:41 #4
    Rawe
    Rawe is offline
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    Please print these instructions out, or write them down, as you can't read them during the fix.

    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.

    • Save it to your desktop.
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\eenyseaA.exe
      C:\WINDOWS\eenysea.exe
      C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
      C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
      C:\WINDOWS\system32\nsc2FF.dll
      C:\WINDOWS\system32\nsc299.dll
      C:\WINDOWS\system32\BattyRun2.dll
      C:\WINDOWS\876056.exe

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

    -------

    Once that is done.....

    Please download MWav:
    • Unzip it to its predetermined directory (C:\Kaspersky)
    • Locate kavupd.exe in the new folder and double-click to Update.
    • If your firewall gives any messages about this program accessing to internet, allow it.
    • If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
    • When you see Updates Downloaded Successfully, hit Enter to continue.
    • Restart onto Safe Mode and locate the Kaspersky folder.
    • Locate mwavscan.com and double-click on it to launch the MWAV Scanner.
    Now lets do the settings:
    • Leave the Default Settings checked.
    • Add a check to Drives
    • This will light up All Drives
    • Add a check to Scan all Files
    • Click Scan Clean to begin.

    This scan might take around 3+ hours to finish when set to scan everything.
    • Please be sure it has finished before proceeding.
    • Once the scan has finished, all entries identified as Infected, will be displayed in the lower panel.
    • Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
    • Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).
    Reboot into normal Windows and post the results here along with a fresh HijackThis log.
    Hi there, stranger!

    Proud Member of ASAP since 2005.
  5. 2006-09-17, 13:06 #5
    cflannagan
    cflannagan is offline
    Junior Member
    Join Date
    Sep 2006
    Posts
    19

    Default

    Thanks again -

    Followup report:

    Killbox process has been completed. No "PendingFileRenameOperations prompt" came up.

    Upon reboot, two popups came up.

    Now running mwavscan.com as per your instructions - will follow up with a new HJT when it's done. (28 viruses found so far, 19 deleted)

    (posting from my other computer )
  6. 2006-09-17, 23:58 #6
    cflannagan
    cflannagan is offline
    Junior Member
    Join Date
    Sep 2006
    Posts
    19

    Default Two Mwscan logs

    Went to sleep at 4am, woke 3 hours later.. looked at the scan, thought it was done and realized I stopped it while it was still in progress.. so I ran mwscan for 2nd time (both done in safe mode as per your instructions)

    Attached are the 1st and 2nd session logs.

    File C:\!KillBox\876056.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos1.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos5.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos7.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00840000.VBN infected by "Email-Worm.Win32.NetSky.aa" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0000.VBN infected by "Trojan-Downloader.Win32.Qoologic.ax" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0004.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00001.VBN infected by "Trojan-Downloader.Win32.VB.wz" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00002.VBN infected by "Trojan-Clicker.Win32.VB.is" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40000.VBN infected by "Trojan-Downloader.Win32.VB.wz" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40001.VBN infected by "Trojan-Downloader.Win32.VB.wz" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40002.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40003.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40004.VBN infected by "Trojan-Downloader.Win32.Qoologic.ax" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40005.VBN infected by "Trojan-Dropper.Win32.Mudrop.bq" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40006.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40008.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C4000A.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C80004.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07CC0001.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40001.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07DC0000.VBN infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E00000.VBN infected by "Trojan-Downloader.Win32.VB.afa" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40000.VBN infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40001.VBN infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07F00000.VBN infected by "Email-Worm.Win32.NetSky.aa" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\Craig Flannagan\Desktop\For future reinstallations\Goodies.zip infected by "Trojan-Downloader.Win32.IstBar.bu" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\Craig Flannagan\Desktop\For future reinstallations\Goodies.zip infected by "Trojan-Downloader.Win32.IstBar.bu" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\cfg32a.exe tagged as not-a-virus:AdWare.Win32.BookedSpace.i. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\MirarSetup_876057.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\repairs303169590.dll tagged as not-a-virus:AdWare.Win32.SurfSide.ap. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\WinNB58.dll tagged as not-a-virus:AdWare.Win32.Mirar.a. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\SET32E.tmp tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\webhdll.dll tagged as not-a-virus:AdWare.Win32.WebHancer.390. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Local Settings\Temporary Internet Files\Content.IE5\1MLBUOEN\popup[1].htm infected by "Trojan-Clicker.HTML.Agent.a" Virus. Action Taken: File Deleted.
    File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.614. No Action Taken.

    2nd session:

    File C:\!KillBox\876056.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C4000A.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C80004.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
    File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40001.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\cfg32a.exe tagged as not-a-virus:AdWare.Win32.BookedSpace.i. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\MirarSetup_876057.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\repairs303169590.dll tagged as not-a-virus:AdWare.Win32.SurfSide.ap. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\WinNB58.dll tagged as not-a-virus:AdWare.Win32.Mirar.a. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\SET32E.tmp tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
    File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\webhdll.dll tagged as not-a-virus:AdWare.Win32.WebHancer.390. No Action Taken.
    File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.614. No Action Taken.
    File C:\Program Files\NetMeeting\podoci.html infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037194.exe infected by "Trojan-Downloader.Win32.Small.ajc" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037197.dll tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037211.exe infected by "Trojan-Downloader.Win32.Qoologic.at" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037217.exe infected by "Trojan-Downloader.Win32.Agent.aqx" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037220.exe infected by "Trojan-PSW.Win32.LdPinch.arr" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037300.exe infected by "Backdoor.Win32.Hupigon.cj" Virus. Action Taken: File Renamed.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037302.exe infected by "Backdoor.Win32.Hupigon.cj" Virus. Action Taken: File Renamed.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037303.dll infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037317.exe tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037327.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037328.dll infected by "Trojan-Downloader.Win32.Small.ctp" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037329.ocx tagged as not-a-virus:AdWare.Win32.MediaMotor.m. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037330.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037331.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037332.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037333.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037334.exe tagged as not-a-virus:Monitor.Win32.NetMon.a. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037335.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037336.exe infected by "Trojan-Downloader.Win32.Small.ctp" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037337.exe infected by "Trojan-Dropper.Win32.Small.qn" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037339.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037340.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037341.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037342.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037343.dll tagged as not-a-virus:AdWare.Win32.Mirar.a. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037344.dll tagged as not-a-virus:AdWare.Win32.Ucmore.a. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037345.exe tagged as not-a-virus:AdWare.Win32.MediaMotor.o. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037346.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037347.dll tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037348.dll tagged as not-a-virus:AdWare.Win32.CommAd.a. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037349.exe tagged as not-a-virus:AdWare.Win32.CommAd.a. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037353.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037358.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037363.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037364.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037365.dll infected by "Trojan-Downloader.Win32.Agent.agw" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037366.exe tagged as not-a-virus:AdWare.Win32.Agent.ag. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037367.exe infected by "Trojan-Downloader.Win32.Qoologic.c" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037368.exe infected by "Trojan-Downloader.Win32.Qoologic.c" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037369.exe tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037404.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037405.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037406.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
    File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037457.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
    File C:\WINDOWS\pss\odduo.exeCommon Startup infected by "Backdoor.Win32.Hupigon.cj" Virus. Action Taken: File Deleted.
  7. 2006-09-18, 00:00 #7
    cflannagan
    cflannagan is offline
    Junior Member
    Join Date
    Sep 2006
    Posts
    19

    Default

    And my latest HJT after the mwscans. I'm still getting popups.. one that asks me to install DriverCleaner (from DriverCleaner, Inc.. a .cab file with "Install/Don't Install" option) and later 3 more popups.. just regular ads.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:48:24 PM, on 9/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
    F2 - REG:system.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/Vid...etup/setup.cab
    O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
    O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
  8. 2006-09-18, 01:14 #8
    cflannagan
    cflannagan is offline
    Junior Member
    Join Date
    Sep 2006
    Posts
    19

    Default

    Let me know if I'm missing anything else in terms of logs
  9. 2006-09-18, 08:50 #9
    cflannagan
    cflannagan is offline
    Junior Member
    Join Date
    Sep 2006
    Posts
    19

    Default

    Just a follow up while I'm awaiting reply..

    I know that helpers here would probably frown if I take things into my own hands, but I figured this action was easy and relatively straightforward (low risk potential)

    When I noticed this line:
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab I went to IE and removed the ActiveX object from the list.

    Popups has stopped.. I haven't seen any in the last few hours..

    Newest HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:48:52 PM, on 9/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/Vid...etup/setup.cab
    O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
    O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
  10. 2006-09-18, 10:55 #10
    Rawe
    Rawe is offline
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    It was indeed a bad entry

    Delete the following folder:

    C:\Documents and Settings\Craig Flannagan\Desktop\infectded

    Empty recycle bin...

    ----

    Updating Java and Clearing Cache
    • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
    • Search in the list for all previous installed versions of Java. (J2RE Runtime Environment.... )
      It should have next icon next to it:
      Select it and click Remove.
      1. Now please install the Java Runtime Environment (JRE) 5.0 Update 8 manually..
      2. Note to reboot the computer after updating:
      3. After the reboot, go back into the Control Panel and double-click the Java Icon.
      4. Under Temporary Internet Files, click the Delete Files button.
      5. There are three options in the window to clear the cache - Leave ALL 3 Checked
        • Downloaded Applets
          Downloaded Applications
          Other Files
      6. Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      7. Click OK to leave the Java Control Panel.


    ---

    Hows the system running?
    Hi there, stranger!

    Proud Member of ASAP since 2005.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules