1
Tech Clinic / "Your System is Infected!"
« on: August 02, 2005, 07:58:02 AM »
bump please
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Tech Clinic / "Your System is Infected!"
« on: July 28, 2005, 12:25:01 PM »
I am having a hell of a time with these pop-ups and spyware. I had the "Your System is Infected!" desktop for a while but got rid of that. Below I have posted my Hijack this scan and the results of a Panda Active scan. Any help would be greatly appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 1:21:28 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\schmxs.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\System32\savshare.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\closch\Desktop\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/CLosch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: (no name) - {DC6516B6-3C2C-C0F4-0211-FD842AA8F341} - gabber.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [forces_elite] ms-its.exe
O4 - HKLM\..\Run: [PrcIdle] DTOURS.exe
O4 - HKLM\..\Run: [o48U36l] schmxs.exe
O4 - HKLM\..\Run: [dmnmp.exe] C:\WINDOWS\System32\dmnmp.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Z3r8RWJpP] savshare.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [prcmon] MSTCPDLL.exe
O4 - HKCU\..\Run: [MONITER] NopeZ.exe
O4 - HKCU\..\Run: [dialer423] newbreed.exe
O4 - HKCU\..\Run: [uuoo] C:\PROGRA~1\COMMON~1\uuoo\uuoom.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E9F18F-1EDE-425C-9A75-03329B633AC7}: NameServer = 195.95.218.1,85.255.112.7
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: Adobe Acrobat 5.0 - {C92D9B33-729F-039B-5662-61F6F97E5654} - c:\program files\adobe\acrobat 5.0\reader\wpeptuf3.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Panda Active:
Incident Status Location
Virus:Trj/Qhost.BP Disinfected Operating system
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/SpySheriff No disinfected C:\WINDOWS\System32\vxh8jkdq2.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:adware/adsmart No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\1.qtdfmp
Adware:adware/consumeralertsystemNo disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\cassetup.exe
Spyware:spyware/wareout No disinfected C:\WINDOWS\SYSTEM32\loadctr32.exe
Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
Adware:adware/spysheriff No disinfected C:\winstall.exe
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/twain-tech No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\THI6885.tmp
Adware:adware/bookedspace No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\bs54D3.tmpbsx32
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\FAVORITES\Casino & Carrers
Adware:adware/pacimedia No disinfected HKEY_CURRENT_USER\SOFTWARE\PSOF1
Spyware:spyware/surfsidekick No disinfected HKEY_CURRENT_USER\SOFTWARE\SURFSIDEKICK3
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Spyware:spyware/safesurf No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\RICHED
Spyware:spyware/bargainbuddy No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\BARGAINBUDDY
Adware:adware/cws.aboutblank No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTOCOLS\FILTER\TEXT/HTML\CLSID
Adware:adware/searchexe No disinfected HKEY_CLASSES_ROOT\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA3}
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\InstallerV3.exe
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\kwwdhgg.dll
Adware:Adware/SpySheriff No disinfected C:\WINDOWS\system32\vxh8jkdq2.exe
Virus:Trj/DelCache.A Disinfected C:\WINDOWS\system32\csspr.exe
Virus:Trj/Clicker.FV Disinfected C:\Documents and Settings\closch\Local Settings\Temp\9D.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\closch\Local Settings\Temp\i4.tmp
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\closch\Local Settings\Temp\9E.tmp
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\closch\Local Settings\Temp\thin_installer.exe
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\closch\Local Settings\Temp\asfjkk32.tmp
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\closch\Local Settings\Temp\nsh_104.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\closch\Local Settings\Temp\i75.tmp
Virus:Trj/Downloader.DOC Disinfected C:\Documents and Settings\closch\Local Settings\Temp\1.qtdfmp
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Documents and Settings\closch\Local Settings\Temp\cassetup.exe
Adware:Adware/SpySheriff No disinfected C:\Documents and Settings\closch\Local Settings\Temp\2.qtdfmp
Virus:Trj/Downloader.DHI Disinfected C:\Documents and Settings\closch\Local Settings\Temp\5.qtdfmp
Virus:Trj/Downloader.DJV Disinfected C:\Documents and Settings\closch\Local Settings\Temp\EF.tmp
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\closch\Local Settings\Temp\3CF.tmp
Adware:Adware/Pacimedia No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/SpySheriff No disinfected C:\winstall.exe
Logfile of HijackThis v1.99.1
Scan saved at 1:21:28 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\schmxs.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\System32\savshare.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\closch\Desktop\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/CLosch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: (no name) - {DC6516B6-3C2C-C0F4-0211-FD842AA8F341} - gabber.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [forces_elite] ms-its.exe
O4 - HKLM\..\Run: [PrcIdle] DTOURS.exe
O4 - HKLM\..\Run: [o48U36l] schmxs.exe
O4 - HKLM\..\Run: [dmnmp.exe] C:\WINDOWS\System32\dmnmp.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Z3r8RWJpP] savshare.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [prcmon] MSTCPDLL.exe
O4 - HKCU\..\Run: [MONITER] NopeZ.exe
O4 - HKCU\..\Run: [dialer423] newbreed.exe
O4 - HKCU\..\Run: [uuoo] C:\PROGRA~1\COMMON~1\uuoo\uuoom.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E9F18F-1EDE-425C-9A75-03329B633AC7}: NameServer = 195.95.218.1,85.255.112.7
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: Adobe Acrobat 5.0 - {C92D9B33-729F-039B-5662-61F6F97E5654} - c:\program files\adobe\acrobat 5.0\reader\wpeptuf3.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Panda Active:
Incident Status Location
Virus:Trj/Qhost.BP Disinfected Operating system
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/SpySheriff No disinfected C:\WINDOWS\System32\vxh8jkdq2.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:adware/adsmart No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\1.qtdfmp
Adware:adware/consumeralertsystemNo disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\cassetup.exe
Spyware:spyware/wareout No disinfected C:\WINDOWS\SYSTEM32\loadctr32.exe
Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
Adware:adware/spysheriff No disinfected C:\winstall.exe
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/twain-tech No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\THI6885.tmp
Adware:adware/bookedspace No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\bs54D3.tmpbsx32
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\FAVORITES\Casino & Carrers
Adware:adware/pacimedia No disinfected HKEY_CURRENT_USER\SOFTWARE\PSOF1
Spyware:spyware/surfsidekick No disinfected HKEY_CURRENT_USER\SOFTWARE\SURFSIDEKICK3
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Spyware:spyware/safesurf No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\RICHED
Spyware:spyware/bargainbuddy No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\BARGAINBUDDY
Adware:adware/cws.aboutblank No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTOCOLS\FILTER\TEXT/HTML\CLSID
Adware:adware/searchexe No disinfected HKEY_CLASSES_ROOT\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA3}
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\InstallerV3.exe
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\kwwdhgg.dll
Adware:Adware/SpySheriff No disinfected C:\WINDOWS\system32\vxh8jkdq2.exe
Virus:Trj/DelCache.A Disinfected C:\WINDOWS\system32\csspr.exe
Virus:Trj/Clicker.FV Disinfected C:\Documents and Settings\closch\Local Settings\Temp\9D.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\closch\Local Settings\Temp\i4.tmp
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\closch\Local Settings\Temp\9E.tmp
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\closch\Local Settings\Temp\thin_installer.exe
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\closch\Local Settings\Temp\asfjkk32.tmp
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\closch\Local Settings\Temp\nsh_104.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\closch\Local Settings\Temp\i75.tmp
Virus:Trj/Downloader.DOC Disinfected C:\Documents and Settings\closch\Local Settings\Temp\1.qtdfmp
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Documents and Settings\closch\Local Settings\Temp\cassetup.exe
Adware:Adware/SpySheriff No disinfected C:\Documents and Settings\closch\Local Settings\Temp\2.qtdfmp
Virus:Trj/Downloader.DHI Disinfected C:\Documents and Settings\closch\Local Settings\Temp\5.qtdfmp
Virus:Trj/Downloader.DJV Disinfected C:\Documents and Settings\closch\Local Settings\Temp\EF.tmp
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\closch\Local Settings\Temp\3CF.tmp
Adware:Adware/Pacimedia No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/SpySheriff No disinfected C:\winstall.exe
3
Tech Clinic / Need Spyware help Please.
« on: May 24, 2005, 07:43:42 AM »
Here is the new log. And I forgot that when I originally tried running Windows Clean-up the link wasn't working and I forgot to go back to it. It still isn't working.
Logfile of HijackThis v1.99.1
Scan saved at 8:42:04 AM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Logfile of HijackThis v1.99.1
Scan saved at 8:42:04 AM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
4
Tech Clinic / Need Spyware help Please.
« on: May 23, 2005, 03:05:06 PM »
Thanks so much. Here are my reports: (Note: I had the AutoUpdate file)
Logfile of HijackThis v1.99.1
Scan saved at 4:02:38 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\DOCUME~1\closch\LOCALS~1\Temp\HijackThis.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 3:49:46 PM, 5/23/2005
+ Report-Checksum: C407DC2C
+ Date of database: 5/23/2005
+ Version of scan engine: v3.0
+ Duration: 11 min
+ Scanned Files: 52708
+ Speed: 75.56 Files/Second
+ Infected files: 76
+ Removed files: 76
+ Files put in quarantine: 76
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\WINDOWS\system32\HookPopup.dll -> Spyware.DealHelper.ab -> Cleaned with backup
C:\WINDOWS\system\lalak.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\My404.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\lqkozepc.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@dcsi8dupuerp17vzhd59b2lwc_8u5u[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S0014-01-2-16-217494-54117[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S005-01-6-28-254547-85570[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S005-01-6-28-254547-85610[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\djebmm350.exe -> Spyware.Broadcap.a -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\pcs_0006.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcsi8dupuerp17vzhd59b2lwc_8u5u[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S005-01-6-28-254547-85570[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcszqjbnh21e5hmqkbwitxmhi_8f9v[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0012-01-1-7-217494-47679[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@15876760[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S005-01-6-28-254547-85570[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@10620967[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[5].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@72067136[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcs9vjhcvoifwzvpkr3ppi958_9w3d[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@shopnav[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S109821[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcsw8cxeoau4fifujx3tdt6ky_7s8w[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@exitexchange[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020344.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020349.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020352.exe -> Spyware.WebSearch.aj -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020368.dll -> Spyware.CoolBar.a -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020370.exe -> Spyware.DealHelper.x -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020373.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020383.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020384.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020385.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020386.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020387.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020389.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020414.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020466.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020520.EXE -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020521.EXE -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020529.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020530.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020574.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020575.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020576.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020577.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020578.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020581.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020584.dll -> Spyware.Wintol.y -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020585.exe -> TrojanDownloader.Wintool.f -> Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 4:02:38 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\DOCUME~1\closch\LOCALS~1\Temp\HijackThis.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 3:49:46 PM, 5/23/2005
+ Report-Checksum: C407DC2C
+ Date of database: 5/23/2005
+ Version of scan engine: v3.0
+ Duration: 11 min
+ Scanned Files: 52708
+ Speed: 75.56 Files/Second
+ Infected files: 76
+ Removed files: 76
+ Files put in quarantine: 76
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\WINDOWS\system32\HookPopup.dll -> Spyware.DealHelper.ab -> Cleaned with backup
C:\WINDOWS\system\lalak.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\My404.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\lqkozepc.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@dcsi8dupuerp17vzhd59b2lwc_8u5u[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S0014-01-2-16-217494-54117[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S005-01-6-28-254547-85570[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S005-01-6-28-254547-85610[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\djebmm350.exe -> Spyware.Broadcap.a -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\pcs_0006.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcsi8dupuerp17vzhd59b2lwc_8u5u[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S005-01-6-28-254547-85570[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcszqjbnh21e5hmqkbwitxmhi_8f9v[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0012-01-1-7-217494-47679[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@15876760[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S005-01-6-28-254547-85570[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@10620967[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[5].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@72067136[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcs9vjhcvoifwzvpkr3ppi958_9w3d[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@shopnav[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S109821[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcsw8cxeoau4fifujx3tdt6ky_7s8w[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@exitexchange[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020344.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020349.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020352.exe -> Spyware.WebSearch.aj -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020368.dll -> Spyware.CoolBar.a -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020370.exe -> Spyware.DealHelper.x -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020373.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020383.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020384.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020385.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020386.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020387.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020389.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020414.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020466.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020520.EXE -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020521.EXE -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020529.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020530.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020574.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020575.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020576.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020577.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020578.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020581.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020584.dll -> Spyware.Wintol.y -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020585.exe -> TrojanDownloader.Wintool.f -> Cleaned with backup
::Report End
5
Tech Clinic / Need Spyware help Please.
« on: May 23, 2005, 08:25:41 AM »
Can someone please help me get rid of these pop-ups. Thank you in advance.
Logfile of HijackThis v1.99.1
Scan saved at 9:21:01 AM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [fpoknn] c:\windows\system32\gwzhrk.exe
O4 - HKLM\..\Run: [o48U36l] cluaze.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteiez32.exe
O4 - HKCU\..\Run: [Z3r8RWJpP] cidmsnap.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: Yahoo! MLB StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
Logfile of HijackThis v1.99.1
Scan saved at 9:21:01 AM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [fpoknn] c:\windows\system32\gwzhrk.exe
O4 - HKLM\..\Run: [o48U36l] cluaze.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteiez32.exe
O4 - HKCU\..\Run: [Z3r8RWJpP] cidmsnap.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: Yahoo! MLB StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
Pages: [1]