Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - ckn

Pages: [1]
1
Tech Clinic / smartsecurity - another victim
« on: May 08, 2005, 07:28:33 PM »
[quote name=\'guestolo\' date=\'May 8 2005, 03:49 PM\']Can you do me a favor before we try some fixes
Open Hijackthis>>Open Misc tools sections>>Open Uninstall Manager
Click the SAVE LIST button
Save the list and post it back here

Then we'll get to work on your log
[post=\"39781\"]<{POST_SNAPBACK}>[/post]
[/quote]

Thank you again. Here is the log I got following your instructions

3D Groove Playback Engine
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adware Patrol 1.0.8
AlertSpy 1.0.8
Avance AC'97 Audio
Big Action Construction
BigFix
Browser Helper
Chessmaster 10th Edition
Coelho Sabido e a Estrela Cintilante
CompuServe
Conexant SoftK56 Modem(M)
Curious George Learns Phonics
DELL TrueMobile 1180 Wireless USB
Display Utility
FlashTrack Uninstall
GameSpy Arcade
Google Toolbar for Internet Explorer
Gutterball
HijackThis 1.99.1
Intel® Extreme Graphics Driver Software
Internet Chess
iPod mini 1.0 for Windows User Guide
iPod mini Software Updater 1.0
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_02
JetSuite Pro for the HP LaserJet 3150
JumpStart Advanced 1st Grade
JumpStart Phonics
KODAK Picture CD
Learn to Play Chess with Fritz and Chesster
Learn to Play Chess with Fritz and Chesster 2
LEGO My Style Preschool
Macromedia Shockwave Player
Math Missions Grades K-2
McAfee Firewall
McAfee VirusScan
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Works 6.0
Mozilla Firefox (1.0)
MSN Messenger 6.2
Outlook Express Q837009
Playhouse Disney's Stanley Wild for Sharks
QuickTime
Reader Rabbit 1st Grade
Reader Rabbit Playtime for Baby
Reader Rabbit Thinking Adventures Ages 4-6
Reader Rabbit Toddler
Reader Rabbit's Math Ages 6-9
RealPlayer
Rescue Heroes Hurricane Havoc
Rescue Heroes Meteor Madness
Rescue Heroes Mission Select
Rescue Heroes(tm) Lava Landslide
Rescue Heroes(tm) Tremor Trouble
Shockwave
Spinner the Space Kid (remove only)
Spybot - Search & Destroy 1.3
Viewpoint Media Player (Remove Only)
Winamp (remove only)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
Yahoo! Companion
Zoombinis Logical Journey(tm)

2
Tech Clinic / smartsecurity - another victim
« on: May 07, 2005, 09:18:06 PM »
[quote name=\'guestolo\' date=\'May 7 2005, 12:32 AM\']Can you do the following please, using msconfig can hide malicious activity, it's important I see everything
Can you go back to msconfig and enable all startup entries
Do a Normal startup

Ok it but decline to restart the computer afterwards
Instead run another scan with Hijackthis and post a fresh log
[post=\"39478\"]<{POST_SNAPBACK}>[/post]
[/quote]

Thanks. Here is the new HJT log. (I think I followed allthe instructions). Please help, we are desperate and afraid....

Logfile of HijackThis v1.99.1
Scan saved at 10:12:41 PM, on 5/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\jet95\JETSTAT.EXE
C:\DOCUME~1\andrew\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\andrew\LOCALS~1\Temp\kavss.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jet95\JETSTAT.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

==============================================

I also run MAV 6.1.7 to check for viruses (I opened IE and got the about: blank home page, so I knew something was wrong). Here is the virus log:

File C:\WINDOWS\System32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\spoolsrv32.exe infected by "not-a-virus:AdWare.FindSpy.e" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\picsvr\picsvr.exe infected by "Trojan-Downloader.Win32.Delmed.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\picsvr\picsvr.exe infected by "Trojan-Downloader.Win32.Delmed.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\spoolsrv32.exe infected by "not-a-virus:AdWare.FindSpy.e" Virus. Action Taken: No Action Taken.

File System Found infected by "mxoaldr Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "PerfectNav Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "GrokSter Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_80.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_88.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_94.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall5_40.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\aornutgw.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\Clifford Uninstall.exe infected by "Virus.Win9x.CIH.dam" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\dknqipxf.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\jqxnaaaa.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\txfdb32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\winrokup.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\27.exe\27.exe infected by "Trojan-Downloader.Win32.RPV.f" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\983723.exe infected by "not-a-virus:AdWare.AdWast.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\btv_1001.exe infected by "Trojan-Downloader.Win32.RVP.e" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\cpr_in.exe infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\gstin.exe infected by "Trojan-Downloader.Win32.Delmed.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\iB9.tmp infected by "not-a-virus:AdWare.SurfSide.d" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\PerfectNavUninstall.exe infected by "Trojan-Downloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\SSK_B5.EXE infected by "Trojan-Downloader.Win32.Small.qn" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\tmpD.tmp infected by "Trojan-Downloader.Win32.Small.aql" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\UpdatedUpdaterInstall.exe infected by "Trojan-Downloader.Win32.Small.alx" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\uppicsvr.exe infected by "not-a-virus:AdWare.DelphinMedia.Viewer.f" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\TEMPOR~1\Content.IE5\8KIF51P2\file[1].exe infected by "Trojan-Dropper.Win32.Small.oy" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet9.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Desktop\HSFix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.

File C:\Documents and Settings\andrew\Desktop\HSFix.zip tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\27.exe\27.exe infected by "Trojan-Downloader.Win32.RPV.f" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\983723.exe infected by "not-a-virus:AdWare.AdWast.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\btv_1001.exe infected by "Trojan-Downloader.Win32.RVP.e" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\cpr_in.exe infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\gstin.exe infected by "Trojan-Downloader.Win32.Delmed.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\iB9.tmp infected by "not-a-virus:AdWare.SurfSide.d" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\PerfectNavUninstall.exe infected by "Trojan-Downloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\SSK_B5.EXE infected by "Trojan-Downloader.Win32.Small.qn" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\tmpD.tmp infected by "Trojan-Downloader.Win32.Small.aql" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\UpdatedUpdaterInstall.exe infected by "Trojan-Downloader.Win32.Small.alx" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\uppicsvr.exe infected by "not-a-virus:AdWare.DelphinMedia.Viewer.f" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temporary Internet Files\Content.IE5\8KIF51P2\file[1].exe infected by "Trojan-Dropper.Win32.Small.oy" Virus. Action Taken: No Action Taken.

File C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe infected by "not-a-virus:AdWare.DelphinMedia.Viewer.f" Virus. Action Taken: No Action Taken.

File C:\Program Files\Kazaa\PerfectNavUninstall.exe infected by "Trojan-Downloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-3826821714-869365757-1532886375-1005\Dc80.exe infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-3826821714-869365757-1532886375-1005\Dc84.exe infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075736.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075740.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075741.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075746.exe infected by "not-a-virus:AdWare.WebSearch.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075748.exe infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075763.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075764.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075771.exe infected by "not-a-virus:AdWare.WebSearch.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075772.exe infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075781.exe infected by "not-a-virus:AdWare.AdWast.a" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075783.dll infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075803.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075814.dll infected by "not-a-virus:AdWare.Altnet.c" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075822.exe infected by "not-a-virus:AdWare.WebRebates.d" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075823.exe infected by "not-a-virus:AdWare.WebRebates.c" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075824.exe infected by "not-a-virus:AdWare.WebRebates.f" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075828.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075829.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.f" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP807\A0075871.exe infected by "not-a-virus:AdWare.WebSearch.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP807\A0075872.exe infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP809\A0075896.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP809\A0075907.dll infected by "not-a-virus:AdWare.WebSearch.aa" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075911.dll infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075913.exe infected by "not-a-virus:AdWare.WebSearch.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075914.exe infected by "not-a-virus:AdWare.WebSearch.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075915.dll infected by "not-a-virus:AdWare.WebSearch.aa" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075918.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.m" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075925.exe infected by "not-a-virus:AdWare.TotalVelocity.aj" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075926.dll infected by "not-a-virus:AdWare.TotalVelocity.v" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075927.dll infected by "not-a-virus:AdWare.TotalVelocity.aj" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075928.exe infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075938.exe infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP845\A0076123.exe infected by "Trojan.Win32.Agent.cd" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP846\A0077118.exe infected by "Trojan.Win32.Agent.cd" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078398.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078447.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078448.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078450.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078475.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078477.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078478.exe infected by "not-a-virus:AdWare.FindSpy.e" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078479.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078480.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078481.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078483.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078485.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078487.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078488.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078718.dll infected by "not-a-virus:AdWare.WinAD.ag" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078719.exe infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078720.exe infected by "not-a-virus:AdWare.WinAD.ai" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078721.cfg infected by "Trojan-Downloader.Win32.RVP.e" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078723.exe infected by "not-a-virus:AdWare.ToolBar.SideBar.a" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078724.vxd infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078725.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078726.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078727.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP852\A0078740.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078757.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078758.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078759.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078760.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078761.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078762.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078763.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078764.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\temp\Bargains.exe infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.

File C:\temp\CtxPlus.exe infected by "Trojan-Downloader.Win32.Apropo.ab" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_80.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_88.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_94.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall5_40.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\aornutgw.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\Clifford Uninstall.exe infected by "Virus.Win9x.CIH.dam" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\dknqipxf.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\jqxnaaaa.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\nsvsvc\nsv.ocx infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\nsvsvc\nsvs.dll infected by "not-a-virus:AdWare.DelphinMedia.Viewer.f" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\nsvsvc\nsvsvc.exe infected by "not-a-virus:AdWare.DelphinMedia.Viewer.f" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\txfdb32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\winrokup.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.

3
Tech Clinic / smartsecurity - another victim
« on: May 06, 2005, 09:00:53 PM »
here is my log. please help. i tried to fix it myself, but it keeps coming back. i got this log after doing msconfig and restarting. please help.

Logfile of HijackThis v1.99.1
Scan saved at 9:54:36 PM, on 5/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\jet95\JETSTAT.EXE
C:\Program Files\HJT\HijackThis.exe

F3 - REG:win.ini: load=  
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jet95\JETSTAT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Pages: [1]