Post by: sean32 on May 01, 2005, 09:11:35 AM
Logfile of HijackThis v1.99.1
Scan saved at 9:56:03 AM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\mouseutils.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\lbs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com (http://\"http://www.dell.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com (http://\"http://www.dell.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com (http://\"http://www.dell.com\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (http://\"http://wwws.musicmatch.com/mmz/openWebRadio.html\") (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab (http://\"http://www.kaspersky.com/downloads/kws/kavwebscan.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite....loadManager.cab (http://\"http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab (http://\"http://spaces.msn.com//PhotoUpload/MsnPUpld.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100749368071 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100749368071\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab\")
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/WoF.cab31267.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Post by: guestolo on May 01, 2005, 01:57:53 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Could you also go to this site please
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\system32\mouseutils.exe <-file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
Post by: sean32 on May 01, 2005, 04:10:12 PM
File: mouseutils.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 da1da38f604a60a769dbc3830e87fa1d
Packers detected: PE_PATCH
Scanner results
AntiVir Found Worm/Bropia.J
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found Win32.4 (probable variant)
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
So can I just manually delete the file, or what can I do to get rid of it?
Post by: guestolo on May 01, 2005, 07:16:40 PM
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html (http://\"http://red.clientapps.yahoo.com/customize/...rch/search.html\")
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
Find and delete these files
C:\lbs.exe
C:\WINDOWS\system32\mouseutils.exe
Restart back to Normal mode
I've seen lbs.exe before, it usually has other files accompany it too
Could you do the following
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract
Temporarily disable Avast protection
In Mwav
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
Give this scan time to finish, it's very thorough
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and paste it back here in your reply
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
Also post back a fresh Hijackthis log
Post by: sean32 on May 01, 2005, 09:23:01 PM
File C:\DOCUME~1\SEAN\LOCALS~1\Temp\trgen-yourbrain_277797-default.exe infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\SEAN\LOCALS~1\TEMPOR~1\Content.IE5\0TUVWHQV\activ-x[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\FRANK\Local Settings\Temp\temp.fr032D\v2.0.4d\navapp.exe infected by "not-a-virus:AdWare.NavExcel.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\FRANK\Local Settings\Temp\temp.fr032D\v2.0.4d\NHelper.dll infected by "not-a-virus:AdWare.NavExcel.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\FRANK\Local Settings\Temp\temp.fr032D\v2.0.4d\NHUninstaller.exe infected by "not-a-virus:AdWare.NavExcel.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\FRANK\Local Settings\Temp\temp.fr032D\v2.0.4d\NHUpdater.exe infected by "not-a-virus:AdWare.NavExcel.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\FRANK\Local Settings\Temp\temp.fr032D\v2.0.4d\v2.0.4d.cab infected by "not-a-virus:AdWare.NavExcel.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\LAURA\Local Settings\Temp\asmfiles.cab infected by "not-a-virus:AdWare.Altnet.l" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\SEAN\Local Settings\Temp\trgen-yourbrain_277797-default.exe infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\SEAN\Local Settings\Temporary Internet Files\Content.IE5\0TUVWHQV\activ-x[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\SEAN\My Documents\My Apps\mirc616.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\Documents and Settings\SEAN\My Documents\My Apps\Sony Soundforge 7.0 + Keygen + Patch Fr + Plugins.rar tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Alwil Software\Avast4\DATA\chest\00000004 infected by "not-a-virus:AdWare.Gator.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Alwil Software\Avast4\DATA\chest\00000005 infected by "not-a-virus:AdWare.Gator.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Alwil Software\Avast4\DATA\chest\00000006 infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Alwil Software\Avast4\DATA\chest\00000007 infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Dell\Media Experience\Extension\WTGames\InstallWT.exe infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP106\A0017370.dll infected by "not-a-virus:AdWare.NavExcel.i" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP106\A0017371.dll infected by "not-a-virus:AdWare.NavExcel.i" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP106\A0017372.exe infected by "not-a-virus:AdWare.NavExcel.i" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017965.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017966.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017967.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017968.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017969.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017970.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017971.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017972.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017973.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017974.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017975.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017982.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017997.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017998.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018006.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018007.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018008.exe infected by "not-a-virus:AdWare.Gator.6034" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018009.exe infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018010.exe infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018047.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018048.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018049.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018050.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP116\A0018995.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP116\A0018996.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
Here is the hijackthis log file
Logfile of HijackThis v1.99.1
Scan saved at 10:18:58 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com (http://\"http://www.dell.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com (http://\"http://www.dell.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com (http://\"http://www.dell.com\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (http://\"http://wwws.musicmatch.com/mmz/openWebRadio.html\") (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab (http://\"http://www.kaspersky.com/downloads/kws/kavwebscan.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite....loadManager.cab (http://\"http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab (http://\"http://spaces.msn.com//PhotoUpload/MsnPUpld.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100749368071 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100749368071\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab\")
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/WoF.cab31267.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Thanks again for the help, and I hope this helps you.
Post by: guestolo on May 01, 2005, 09:41:59 PM
Some are backed up in your System Restore folder
Can you do the following
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
After installation
I like to run this in safe mode to ensure limited programs are running
In safe mode
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done
Instead restart the computer
Back in Windows
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.3 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
IE-Spyad is compatible with XP SP2 also
Post by: gUzAnO on May 07, 2005, 08:35:44 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />Log 1
Logfile of HijackThis v1.99.1
Scan saved at 19:19:12, on 07-05-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2 (http://\"http://login.passport.net/uilogin.srf?id=2\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Archivos de programa\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: DigiDoc.lnk = C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/s...net32_ES_XP.cab (http://\"http://akamai.downloadv3.com/binaries/IA/svcsysnet32_ES_XP.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab (http://\"http://spaces.msn.com//PhotoUpload/MsnPUpld.cab\")
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
VIRUS RESULTS
File System Found infected by "IstBAR Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "IstBAR Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "FunWebProducts Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "mwsoemon Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\system.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\wlvdmnrqhhb.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MSN Messenger\riched20.dll infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3CJPEG.DLL infected by "not-a-virus:AdWare.FunWeb.d" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3HISTSW.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3HTMLMU.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3PSSAVR.SCR infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3RESTUB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3SCHMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3WPHOOK.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\M3OUTLCN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\M3SKIN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOEMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOESTB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GDARCXA3\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\MSN[2].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Temp\pzpgvchufa.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\KP27CHIV\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\M70F52JI\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\PNBFPXGQ\prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\X2IQARO9\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\XQY9YOEM\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Temp\wlvdmnrqhhb.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\backups\backup-20050416-141636-826.dll infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\backups\backup-20050416-141637-102.dll infected by "not-a-virus:AdWare.WinAD.ad" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\0HUBGPAR\MSN[2].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\AHDL92N6\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\XQY9YOEM\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Temp\mzrpoqbopg.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\mIRC\SYSTEM\mirc32.exe tagged as not-a-virus:RiskWare.mIRC.5.9.1. No Action Taken.
File C:\mmm.exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Archivos temporales de Internet\Content.IE5\7ZR1BUDN\bridge-c18[1].cab infected by "not-a-virus:AdWare.WinAD.ad" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Archivos temporales de Internet\Content.IE5\UGWX4WLJ\a072aa[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\system.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
Log 2
Logfile of HijackThis v1.99.1
Scan saved at 21:36:56, on 07-05-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\mwavscan.com
C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\kavss.exe
C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2 (http://\"http://login.passport.net/uilogin.srf?id=2\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DigiDoc.lnk = C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/s...net32_ES_XP.cab (http://\"http://akamai.downloadv3.com/binaries/IA/svcsysnet32_ES_XP.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab (http://\"http://spaces.msn.com//PhotoUpload/MsnPUpld.cab\")
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
now i'm dowloading spyware blaster 3.3 but i dunno how to dwnld the other stuff, thanks for your future help
BTW i have WinXP Pro non SP1 nor SP Express... (got no valid key for it xD) i was using AVG 7.0 and get a weird "error" it says it cannot get the update because it's damaged or it is bad installed, it was running quite good before, dunno what happened, though i'm switching to Kaspersky.