« previous next »
Pages: [1]

Author Topic: Please help with douzy of a virus (logs posted)  (Read 1500 times)

Offline sean32

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Please help with douzy of a virus (logs posted)
« on: May 01, 2005, 09:11:35 AM »
I got this virus the other day though msn messenger. All I know about it right now is what it does to my system. Haven't found any other info about it on the web. It runs a program called lbs.exe. When I open up task manager it has something called project1 as the application, and under processes it is associated with lbs.exe. One thing I've noticed about it is that it makes sure my avast! antivirus does not auto start on startup. When I delete the lbs.exe file, it seems to just redownload itself from the web, as it appears again later, right after my avast! icon spins (detecting internet use). Any help would be greatly appreciated. Here is my hijackthis log file...

Logfile of HijackThis v1.99.1
Scan saved at 9:56:03 AM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\mouseutils.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\lbs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite....loadManager.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100749368071
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Please help with douzy of a virus (logs posted)
« Reply #1 on: May 01, 2005, 01:57:53 PM »
I've been using Jotti's a few times today, why stop now  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Could you also go to this site please
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\system32\mouseutils.exe <-file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline sean32

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Please help with douzy of a virus (logs posted)
« Reply #2 on: May 01, 2005, 04:10:12 PM »
Thank you so much for your help guestolo. mouseutils.exe sounds like the virus file to me. Avast! didn't detect it as one, but jotti's did, here are the results...

File:  mouseutils.exe  
Status:  INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)  
MD5  da1da38f604a60a769dbc3830e87fa1d  
Packers detected:  PE_PATCH
Scanner results  
AntiVir  Found Worm/Bropia.J  
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
mks_vir  Found Win32.4 (probable variant)  
NOD32  Found nothing
Norman Virus Control  Found nothing
VBA32  Found nothing

So can I just manually delete the file, or what can I do to get rid of it?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Please help with douzy of a virus (logs posted)
« Reply #3 on: May 01, 2005, 07:16:40 PM »
Please Print this out or save these instructions to a Notepad file and save it to your Desktop

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Find and delete these files
C:\lbs.exe
C:\WINDOWS\system32\mouseutils.exe

Restart back to Normal mode

I've seen lbs.exe before, it usually has other files accompany it too
Could you do the following
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract
Temporarily disable Avast protection
In Mwav
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
Give this scan time to finish, it's very thorough
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane---  Use "CTRL and the  C" keys  on your Keyboard to copy all found in the lower pane  and paste it back here in your reply

****If prompted that a Virus was found and you need to purchase the product  to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Also post back a fresh Hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline sean32

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Please help with douzy of a virus (logs posted)
« Reply #4 on: May 01, 2005, 09:23:01 PM »
Thank you very much, as it seems your suggested actions has taken care of the aforementioned virus. I will post the mwav virus log first.

File C:\DOCUME~1\SEAN\LOCALS~1\Temp\trgen-yourbrain_277797-default.exe infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\SEAN\LOCALS~1\TEMPOR~1\Content.IE5\0TUVWHQV\activ-x[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\FRANK\Local Settings\Temp\temp.fr032D\v2.0.4d\navapp.exe infected by "not-a-virus:AdWare.NavExcel.h" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\FRANK\Local Settings\Temp\temp.fr032D\v2.0.4d\NHelper.dll infected by "not-a-virus:AdWare.NavExcel.h" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\FRANK\Local Settings\Temp\temp.fr032D\v2.0.4d\NHUninstaller.exe infected by "not-a-virus:AdWare.NavExcel.h" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\FRANK\Local Settings\Temp\temp.fr032D\v2.0.4d\NHUpdater.exe infected by "not-a-virus:AdWare.NavExcel.h" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\FRANK\Local Settings\Temp\temp.fr032D\v2.0.4d\v2.0.4d.cab infected by "not-a-virus:AdWare.NavExcel.h" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\LAURA\Local Settings\Temp\asmfiles.cab infected by "not-a-virus:AdWare.Altnet.l" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\SEAN\Local Settings\Temp\trgen-yourbrain_277797-default.exe infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\SEAN\Local Settings\Temporary Internet Files\Content.IE5\0TUVWHQV\activ-x[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\SEAN\My Documents\My Apps\mirc616.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.

File C:\Documents and Settings\SEAN\My Documents\My Apps\Sony Soundforge 7.0 + Keygen + Patch Fr + Plugins.rar tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Alwil Software\Avast4\DATA\chest\00000004 infected by "not-a-virus:AdWare.Gator.a" Virus. Action Taken: No Action Taken.

File C:\Program Files\Alwil Software\Avast4\DATA\chest\00000005 infected by "not-a-virus:AdWare.Gator.a" Virus. Action Taken: No Action Taken.

File C:\Program Files\Alwil Software\Avast4\DATA\chest\00000006 infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\Program Files\Alwil Software\Avast4\DATA\chest\00000007 infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\Program Files\Dell\Media Experience\Extension\WTGames\InstallWT.exe infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No Action Taken.

File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP106\A0017370.dll infected by "not-a-virus:AdWare.NavExcel.i" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP106\A0017371.dll infected by "not-a-virus:AdWare.NavExcel.i" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP106\A0017372.exe infected by "not-a-virus:AdWare.NavExcel.i" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017965.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017966.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017967.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017968.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017969.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017970.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017971.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017972.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017973.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017974.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017975.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017982.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.af" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017997.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP114\A0017998.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018006.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018007.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018008.exe infected by "not-a-virus:AdWare.Gator.6034" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018009.exe infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018010.exe infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018047.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018048.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.f" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018049.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP115\A0018050.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.g" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP116\A0018995.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP116\A0018996.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.

Here is the hijackthis log file

Logfile of HijackThis v1.99.1
Scan saved at 10:18:58 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite....loadManager.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100749368071
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Thanks again for the help, and I hope this helps you.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Please help with douzy of a virus (logs posted)
« Reply #5 on: May 01, 2005, 09:41:59 PM »
Some bad files are in your Temp folders
Some are backed up in your System Restore folder

Can you do the following

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
After installation
I like to run this in safe mode to ensure limited programs are running
In safe mode
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done
Instead restart the computer

Back in Windows
If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
IE-Spyad is compatible with XP SP2 also
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline gUzAnO

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Please help with douzy of a virus (logs posted)
« Reply #6 on: May 07, 2005, 08:35:44 PM »
hi.. i was just looking for some weird stuff on my PC and i got directed here... well i just seemed to have the same problem, so i followed the same steps. Kinda work somehow, however there are some "not-a-virus" adwares/bots that are in other directories rather than System Restore or my TEMP. I call for aid in this thread though it has been very helpfull for the first one who posted here... i'll be posting the virus results and the former hijackthis log and the earlier one. Hope you can help me thanks in advance http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Log 1

Logfile of HijackThis v1.99.1
Scan saved at 19:19:12, on 07-05-2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Archivos de programa\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: DigiDoc.lnk = C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/s...net32_ES_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

VIRUS RESULTS

File System Found infected by "IstBAR Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "IstBAR Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "FunWebProducts Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "mwsoemon Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\system.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\wlvdmnrqhhb.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MSN Messenger\riched20.dll infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3CJPEG.DLL infected by "not-a-virus:AdWare.FunWeb.d" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3HISTSW.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3HTMLMU.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3PSSAVR.SCR infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3RESTUB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3SCHMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\F3WPHOOK.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\M3OUTLCN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\M3SKIN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOEMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOESTB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GDARCXA3\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\MSN[2].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Archivos temporales de Internet\Content.IE5\GXU3OPMF\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Camila\Configuración local\Temp\pzpgvchufa.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\KP27CHIV\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\M70F52JI\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\PNBFPXGQ\prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\X2IQARO9\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\XQY9YOEM\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Configuración local\Temp\wlvdmnrqhhb.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\backups\backup-20050416-141636-826.dll infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\backups\backup-20050416-141637-102.dll infected by "not-a-virus:AdWare.WinAD.ad" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\0HUBGPAR\MSN[2].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\AHDL92N6\MSN[1].exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Archivos temporales de Internet\Content.IE5\XQY9YOEM\new[1].exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Pauli\Configuración local\Temp\mzrpoqbopg.exe infected by "Backdoor.Win32.Agobot.aby" Virus. Action Taken: No Action Taken.
File C:\mIRC\SYSTEM\mirc32.exe tagged as not-a-virus:RiskWare.mIRC.5.9.1. No Action Taken.
File C:\mmm.exe infected by "IM-Worm.Win32.Prex.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Archivos temporales de Internet\Content.IE5\7ZR1BUDN\bridge-c18[1].cab infected by "not-a-virus:AdWare.WinAD.ad" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Archivos temporales de Internet\Content.IE5\UGWX4WLJ\a072aa[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\system.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

Log 2

Logfile of HijackThis v1.99.1
Scan saved at 21:36:56, on 07-05-2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\mwavscan.com
C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\kavss.exe
C:\Documents and Settings\gUzAnO\Mis documentos\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DigiDoc.lnk = C:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/s...net32_ES_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

now i'm dowloading spyware blaster 3.3 but i dunno how to dwnld the other stuff, thanks for your future help

BTW i have WinXP Pro non SP1 nor SP Express... (got no valid key for it xD) i was using AVG 7.0 and get a weird "error" it says it cannot get the update because it's damaged or it is bad installed, it was running quite good before, dunno what happened, though i'm switching to Kaspersky.
Logged
Pages: [1]
« previous next »