Show Posts
1
Tech Clinic / problems with explorer.. dumb thing
« on: March 16, 2005, 03:21:36 PM »
Hello, here everything is. I'm still having problems with the desktop showing webpages, an annoying tray item, and the explorer still takes forever to load 
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'
\' /> lol i think im in a small pickle..
heres the dumplog
Scan Control Dumped @ 06:15:24 15-03-05
Live trojan found (in process memory): RAT.Cain
File: C:\Program Files\Cain\Abel.exe
RegVal Trace: TrojanClicker.Win32.Spyre: HKEY_CURRENT_USER
File: Software\Microsoft\Windows\CurrentVersion\RunOnce [Srv32 spool service=C:\WINDOWS\System32\spoolsrv32.exe]
RegVal Trace: TrojanClicker.Win32.Spyre: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunOnce [Srv32 spool service=C:\WINDOWS\System32\spoolsrv32.exe]
Positive identification (DLL): Adware.ToolBar.EliteBar.q1 (dll)
File: c:\elitebar version 53.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.z1 (dll)
File: c:\elitesidebar version 8.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.z (dll)
File: c:\elitetoolbar version 59.dll
Positive identification: TrojanDownloader.Win32.WinFetch.a
File: c:\documents and settings\matt\local settings\temp\5ydtuba.exe
Positive identification: Trojan.Win32.Delf.cf4
File: c:\documents and settings\matt\local settings\temp\atiupdate.exe
Suspicious Filename: Dual extensions
File: c:\documents and settings\matt\local settings\temp\sa375.tmp.exe
Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\matt\local settings\temp\sa375.tmp.exe
Positive identification: Adware.Altnet.b
File: c:\documents and settings\matt\local settings\temp\__unin__.exe
Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\65et05kb\mediaaccess[1].exe
Positive identification: Adware.180Solutions.o
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\85ibglav\saap[1].exe
Positive identification <Adv>: Possible keylogger
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\85ibglav\search[2].exe
Positive identification (DLL): Adware.ToolBar.EliteBar.z (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\c1c1yzy1\elitebar59[1].dll
Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.dd (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\g52vcp6v\nem220[1].dll
Positive identification (DLL): Adware.ToolBar.EliteBar.z (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\mpmr8xuv\elitebar59[1].dll
Positive identification: TrojanDownloader.Win32.Dyfuca.dk
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\mpmr8xuv\optimize[1].exe
Positive identification (DLL): TrojanDownloader.Win32.Agent.ex7 (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\n8mlm9aj\jabber[1].ocx
Positive identification: Adware.ToolBar.EliteBar.v
File: c:\program files\dap\temp\ldn554.tmp
Positive identification (DLL): Adware.ToolBar.MyWebSearch.c (dll)
File: c:\program files\mywebsearch\bar\2.bin\f3popswt.dll
Positive identification (DLL): Adware.ToolBar.MyWebSearch.d (dll)
File: c:\program files\mywebsearch\bar\2.bin\f3restub.dll
Positive identification (DLL): Adware.ToolBar.MyWebSearch.e (dll)
File: c:\program files\mywebsearch\bar\2.bin\f3wphook.dll
Positive identification (DLL): Adware.ToolBar.MyWebSearch.f (dll)
File: c:\program files\mywebsearch\bar\2.bin\mwsoestb.dll
Positive identification (DLL): Adware.Wesbar (dll)
File: c:\program files\mywebsearch\srchastt\2.bin\mwssrcas.dll
Positive identification (embedded in file): Adware.NewDotNet (dll)
File: c:\program files\warez p2p client\nnwarz3_88.exe
Positive identification: Adware.NewDotNet
File: c:\program files\warez p2p client\nnwarz3_88.exe
Positive identification (DLL): Adware.Winad (dll)
File: c:\program files\winad client\clientcom.dll
Positive identification: TrojanDownloader.Win32.Agent.bf2
File: c:\program files\winad client\winclt.exe
Positive identification: TrojanProxy.Win32.Agent.dl1
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc2.exe
Positive identification <Adv>: Possible WebDownloader
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc11\mediaaccess.exe
Positive identification: Adware.SyncroAd
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc12\syncroad.exe
Positive identification (DLL): Adware.ToolBar.SBSoft.e (dll)
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc13\rundlg32.dll
Positive identification: Adware.BargainBuddy.j Dropper
File: c:\temp\cdt_bbi8016.exe
Positive identification (embedded in file): TrojanDropper.Win32.Delf.z
File: c:\temp\installer2.exe
Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
File: c:\temp\installer2.exe
Positive identification: Adware.Blazefind Dropper
File: c:\temp\installer2.exe
Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\temp\msbbhook.dll
Positive identification: Adware.TopRebates.a Dropper
File: c:\temp\webrebates_cdt_installsilent.exe
Positive identification: Adware.MDH.a Dropper
File: c:\windows\setup_silent_17304.exe
Positive identification: Adware.MDH.a Dropper
File: c:\windows\setup_silent_26223.exe
Positive identification: Adware.ToolBar.EliteBar.v
File: c:\windows\sideb.exe
Positive identification: TrojanDropper.Win32.Small.oy
File: c:\windows\sys2515.exe
Positive identification: RAT.Jeemp.b
File: c:\windows\sys2519.exe
Positive identification: TrojanProxy.Win32.Agent.dl1
File: c:\windows\sys2538.exe
Positive identification: RAT.Thunk.d
File: c:\windows\sys2555.exe
Positive identification: Adware.MediaMotor
File: c:\windows\unstall.exe
Positive identification (DLL): TrojanDownloader.Win32.Agent.ex7 (dll)
File: c:\windows\downloaded program files\jabber.ocx
Positive identification (DLL): Adware.ToolBar.EliteBar.l (dll)
File: c:\windows\downloaded program files\v2.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.q1 (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 53.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.q (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 54.dll
Positive identification (DLL): Adware.EliteBar (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 56.dll
Positive identification (DLL): Adware.EliteBar (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 58.dll
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\121689.exe
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\121690.exe
Positive identification: Pornware.Downloader.Tibsystems.a
File: c:\windows\system\121710.exe
Positive identification: Pornware.Downloader.Tibsystems.a
File: c:\windows\system\121711.exe
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\121793.exe
Positive identification: Pornware.Downloader.Tibsystems.a
File: c:\windows\system\122335.exe
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\teen.exe
Positive identification (DLL): RAT.Thunk.d (dll)
File: c:\windows\system32\child.dll
Positive identification (DLL): Adware.EliteBar (dll)
File: c:\windows\system32\elitedoolsav.dat
Positive identification: Trojan.Win32.StartPage.nk6
File: c:\windows\system32\eliteerror32.dat
Positive identification: Trojan.Win32.StartPage.nk6
File: c:\windows\system32\elitexkp32.exe
Positive identification: Adware.ToolBar.EliteBar.j Dropper
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\e521gfut\silent_install[1].exe
Positive identification: Trojan.Win32.StartPage.nk6
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\kdensp6b\protector_update[1].exe
Positive identification: TrojanDownloader.Win32.Elitebar.a
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\kdensp6b\silent_install[1].exe
Positive identification <Adv>: Possible WebDownloader
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\sxqj0dmf\bobby[1].exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\1.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\12.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\123.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\[censored].exe
Positive identification: TrojanDownloader.Win32.IstBar.fu
File: c:\windows\system32\services\gamka2.exe
Positive identification: TrojanClicker.Win32.Agent.v1
File: c:\windows\system32\services\gamka324.exe
Positive identification: TrojanDownloader.Win32.IstBar.fx
File: c:\windows\system32\services\gammaka.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\redirect.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\redirect23.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\redirect234.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\sexychat.exe
Positive identification: TrojanClicker.Win32.Agent.ar
File: c:\windows\system32\services\winsd.exe
and heres the hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 3:18:52 AM, on 3/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cain\Abel.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\QUICKH~1\qhwscsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AB854823-1967-4D5C-9EF7-03274F12BF93} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AB854823-1967-4D5C-9EF7-03274F12BF93} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.jp.uo.com/fonts/TDSERVER.CAB
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//bestporn/main.chm::/load.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c18.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110535164775
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D4212C-AD0A-46BA-977E-E471F5C719D3}: NameServer = 205.188.146.145
O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - C:\PROGRA~1\QUICKH~1\qhwscsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
thnxhttp://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'
\' />
\' /> lol i think im in a small pickle..heres the dumplog
Scan Control Dumped @ 06:15:24 15-03-05
Live trojan found (in process memory): RAT.Cain
File: C:\Program Files\Cain\Abel.exe
RegVal Trace: TrojanClicker.Win32.Spyre: HKEY_CURRENT_USER
File: Software\Microsoft\Windows\CurrentVersion\RunOnce [Srv32 spool service=C:\WINDOWS\System32\spoolsrv32.exe]
RegVal Trace: TrojanClicker.Win32.Spyre: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunOnce [Srv32 spool service=C:\WINDOWS\System32\spoolsrv32.exe]
Positive identification (DLL): Adware.ToolBar.EliteBar.q1 (dll)
File: c:\elitebar version 53.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.z1 (dll)
File: c:\elitesidebar version 8.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.z (dll)
File: c:\elitetoolbar version 59.dll
Positive identification: TrojanDownloader.Win32.WinFetch.a
File: c:\documents and settings\matt\local settings\temp\5ydtuba.exe
Positive identification: Trojan.Win32.Delf.cf4
File: c:\documents and settings\matt\local settings\temp\atiupdate.exe
Suspicious Filename: Dual extensions
File: c:\documents and settings\matt\local settings\temp\sa375.tmp.exe
Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\matt\local settings\temp\sa375.tmp.exe
Positive identification: Adware.Altnet.b
File: c:\documents and settings\matt\local settings\temp\__unin__.exe
Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\65et05kb\mediaaccess[1].exe
Positive identification: Adware.180Solutions.o
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\85ibglav\saap[1].exe
Positive identification <Adv>: Possible keylogger
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\85ibglav\search[2].exe
Positive identification (DLL): Adware.ToolBar.EliteBar.z (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\c1c1yzy1\elitebar59[1].dll
Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.dd (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\g52vcp6v\nem220[1].dll
Positive identification (DLL): Adware.ToolBar.EliteBar.z (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\mpmr8xuv\elitebar59[1].dll
Positive identification: TrojanDownloader.Win32.Dyfuca.dk
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\mpmr8xuv\optimize[1].exe
Positive identification (DLL): TrojanDownloader.Win32.Agent.ex7 (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\n8mlm9aj\jabber[1].ocx
Positive identification: Adware.ToolBar.EliteBar.v
File: c:\program files\dap\temp\ldn554.tmp
Positive identification (DLL): Adware.ToolBar.MyWebSearch.c (dll)
File: c:\program files\mywebsearch\bar\2.bin\f3popswt.dll
Positive identification (DLL): Adware.ToolBar.MyWebSearch.d (dll)
File: c:\program files\mywebsearch\bar\2.bin\f3restub.dll
Positive identification (DLL): Adware.ToolBar.MyWebSearch.e (dll)
File: c:\program files\mywebsearch\bar\2.bin\f3wphook.dll
Positive identification (DLL): Adware.ToolBar.MyWebSearch.f (dll)
File: c:\program files\mywebsearch\bar\2.bin\mwsoestb.dll
Positive identification (DLL): Adware.Wesbar (dll)
File: c:\program files\mywebsearch\srchastt\2.bin\mwssrcas.dll
Positive identification (embedded in file): Adware.NewDotNet (dll)
File: c:\program files\warez p2p client\nnwarz3_88.exe
Positive identification: Adware.NewDotNet
File: c:\program files\warez p2p client\nnwarz3_88.exe
Positive identification (DLL): Adware.Winad (dll)
File: c:\program files\winad client\clientcom.dll
Positive identification: TrojanDownloader.Win32.Agent.bf2
File: c:\program files\winad client\winclt.exe
Positive identification: TrojanProxy.Win32.Agent.dl1
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc2.exe
Positive identification <Adv>: Possible WebDownloader
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc11\mediaaccess.exe
Positive identification: Adware.SyncroAd
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc12\syncroad.exe
Positive identification (DLL): Adware.ToolBar.SBSoft.e (dll)
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc13\rundlg32.dll
Positive identification: Adware.BargainBuddy.j Dropper
File: c:\temp\cdt_bbi8016.exe
Positive identification (embedded in file): TrojanDropper.Win32.Delf.z
File: c:\temp\installer2.exe
Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
File: c:\temp\installer2.exe
Positive identification: Adware.Blazefind Dropper
File: c:\temp\installer2.exe
Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\temp\msbbhook.dll
Positive identification: Adware.TopRebates.a Dropper
File: c:\temp\webrebates_cdt_installsilent.exe
Positive identification: Adware.MDH.a Dropper
File: c:\windows\setup_silent_17304.exe
Positive identification: Adware.MDH.a Dropper
File: c:\windows\setup_silent_26223.exe
Positive identification: Adware.ToolBar.EliteBar.v
File: c:\windows\sideb.exe
Positive identification: TrojanDropper.Win32.Small.oy
File: c:\windows\sys2515.exe
Positive identification: RAT.Jeemp.b
File: c:\windows\sys2519.exe
Positive identification: TrojanProxy.Win32.Agent.dl1
File: c:\windows\sys2538.exe
Positive identification: RAT.Thunk.d
File: c:\windows\sys2555.exe
Positive identification: Adware.MediaMotor
File: c:\windows\unstall.exe
Positive identification (DLL): TrojanDownloader.Win32.Agent.ex7 (dll)
File: c:\windows\downloaded program files\jabber.ocx
Positive identification (DLL): Adware.ToolBar.EliteBar.l (dll)
File: c:\windows\downloaded program files\v2.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.q1 (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 53.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.q (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 54.dll
Positive identification (DLL): Adware.EliteBar (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 56.dll
Positive identification (DLL): Adware.EliteBar (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 58.dll
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\121689.exe
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\121690.exe
Positive identification: Pornware.Downloader.Tibsystems.a
File: c:\windows\system\121710.exe
Positive identification: Pornware.Downloader.Tibsystems.a
File: c:\windows\system\121711.exe
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\121793.exe
Positive identification: Pornware.Downloader.Tibsystems.a
File: c:\windows\system\122335.exe
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\teen.exe
Positive identification (DLL): RAT.Thunk.d (dll)
File: c:\windows\system32\child.dll
Positive identification (DLL): Adware.EliteBar (dll)
File: c:\windows\system32\elitedoolsav.dat
Positive identification: Trojan.Win32.StartPage.nk6
File: c:\windows\system32\eliteerror32.dat
Positive identification: Trojan.Win32.StartPage.nk6
File: c:\windows\system32\elitexkp32.exe
Positive identification: Adware.ToolBar.EliteBar.j Dropper
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\e521gfut\silent_install[1].exe
Positive identification: Trojan.Win32.StartPage.nk6
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\kdensp6b\protector_update[1].exe
Positive identification: TrojanDownloader.Win32.Elitebar.a
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\kdensp6b\silent_install[1].exe
Positive identification <Adv>: Possible WebDownloader
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\sxqj0dmf\bobby[1].exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\1.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\12.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\123.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\[censored].exe
Positive identification: TrojanDownloader.Win32.IstBar.fu
File: c:\windows\system32\services\gamka2.exe
Positive identification: TrojanClicker.Win32.Agent.v1
File: c:\windows\system32\services\gamka324.exe
Positive identification: TrojanDownloader.Win32.IstBar.fx
File: c:\windows\system32\services\gammaka.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\redirect.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\redirect23.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\redirect234.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\sexychat.exe
Positive identification: TrojanClicker.Win32.Agent.ar
File: c:\windows\system32\services\winsd.exe
and heres the hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 3:18:52 AM, on 3/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cain\Abel.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\QUICKH~1\qhwscsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AB854823-1967-4D5C-9EF7-03274F12BF93} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AB854823-1967-4D5C-9EF7-03274F12BF93} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.jp.uo.com/fonts/TDSERVER.CAB
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//bestporn/main.chm::/load.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c18.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110535164775
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D4212C-AD0A-46BA-977E-E471F5C719D3}: NameServer = 205.188.146.145
O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - C:\PROGRA~1\QUICKH~1\qhwscsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
thnx
\' />
\' />