Show Posts
1
Tech Clinic / Please help with douzy of a virus (logs posted)
« on: May 07, 2005, 08:35:44 PM »
hi.. i was just looking for some weird stuff on my PC and i got directed here... well i just seemed to have the same problem, so i followed the same steps. Kinda work somehow, however there are some "not-a-virus" adwares/bots that are in other directories rather than System Restore or my TEMP. I call for aid in this thread though it has been very helpfull for the first one who posted here... i'll be posting the virus results and the former hijackthis log and the earlier one. Hope you can help me thanks in advance 
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'
\' />
Log 1
Logfile of HijackThis v1.99.1
Scan saved at 19:19:12, on 07-05-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Archivos de programa\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: DigiDoc.lnk = C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/s...net32_ES_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
VIRUS RESULTS
File System Found infected by "IstBAR Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "IstBAR Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "FunWebProducts Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "mwsoemon Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\system.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\wlvdmnrqhhb.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MSN Messenger\riched20.dll infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3CJPEG.DLL infected by "not-a-virus:AdWare.FunWeb.d" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3HISTSW.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3HTMLMU.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3PSSAVR.SCR infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3RESTUB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3SCHMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3WPHOOK.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\M3OUTLCN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\M3SKIN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOEMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOESTB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GDARCXA3\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\MSN[2].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Temp\pzpgvchufa.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\KP27CHIV\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\M70F52JI\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\PNBFPXGQ\prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\X2IQARO9\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\XQY9YOEM\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Temp\wlvdmnrqhhb.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\backups\backup-20050416-141636-826.dll infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\backups\backup-20050416-141637-102.dll infected by "not-a-virus:AdWare.WinAD.ad" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\0HUBGPAR\MSN[2].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\AHDL92N6\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\XQY9YOEM\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Temp\mzrpoqbopg.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\mIRC\SYSTEM\mirc32.exe tagged as not-a-virus:RiskWare.mIRC.5.9.1. No Action Taken.
File C:\mmm.exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Archivos temporales de Internet\Content.IE5\7ZR1BUDN\bridge-c18[1].cab infected by "not-a-virus:AdWare.WinAD.ad" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Archivos temporales de Internet\Content.IE5\UGWX4WLJ\a072aa[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\system.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
Log 2
Logfile of HijackThis v1.99.1
Scan saved at 21:36:56, on 07-05-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\mwavscan.com
C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\kavss.exe
C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DigiDoc.lnk = C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/s...net32_ES_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
now i'm dowloading spyware blaster 3.3 but i dunno how to dwnld the other stuff, thanks for your future help
BTW i have WinXP Pro non SP1 nor SP Express... (got no valid key for it xD) i was using AVG 7.0 and get a weird "error" it says it cannot get the update because it's damaged or it is bad installed, it was running quite good before, dunno what happened, though i'm switching to Kaspersky.
\' />Log 1
Logfile of HijackThis v1.99.1
Scan saved at 19:19:12, on 07-05-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Archivos de programa\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: DigiDoc.lnk = C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/s...net32_ES_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
VIRUS RESULTS
File System Found infected by "IstBAR Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "IstBAR Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "FunWebProducts Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "mwsoemon Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\system.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\wlvdmnrqhhb.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MSN Messenger\riched20.dll infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3CJPEG.DLL infected by "not-a-virus:AdWare.FunWeb.d" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3HISTSW.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3HTMLMU.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3PSSAVR.SCR infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3RESTUB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3SCHMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3WPHOOK.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\M3OUTLCN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\M3SKIN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOEMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOESTB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GDARCXA3\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\MSN[2].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Temp\pzpgvchufa.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\KP27CHIV\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\M70F52JI\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\PNBFPXGQ\prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\X2IQARO9\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\XQY9YOEM\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Temp\wlvdmnrqhhb.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\backups\backup-20050416-141636-826.dll infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\backups\backup-20050416-141637-102.dll infected by "not-a-virus:AdWare.WinAD.ad" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\0HUBGPAR\MSN[2].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\AHDL92N6\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\XQY9YOEM\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Temp\mzrpoqbopg.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\mIRC\SYSTEM\mirc32.exe tagged as not-a-virus:RiskWare.mIRC.5.9.1. No Action Taken.
File C:\mmm.exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Archivos temporales de Internet\Content.IE5\7ZR1BUDN\bridge-c18[1].cab infected by "not-a-virus:AdWare.WinAD.ad" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Archivos temporales de Internet\Content.IE5\UGWX4WLJ\a072aa[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\system.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
Log 2
Logfile of HijackThis v1.99.1
Scan saved at 21:36:56, on 07-05-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\mwavscan.com
C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\kavss.exe
C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DigiDoc.lnk = C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/s...net32_ES_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
now i'm dowloading spyware blaster 3.3 but i dunno how to dwnld the other stuff, thanks for your future help
BTW i have WinXP Pro non SP1 nor SP Express... (got no valid key for it xD) i was using AVG 7.0 and get a weird "error" it says it cannot get the update because it's damaged or it is bad installed, it was running quite good before, dunno what happened, though i'm switching to Kaspersky.