Author Topic: Trojans, Adware, and HTML exploits. (Read 1418 times)

hie · « **on:** January 02, 2007, 07:34:01 PM »

Well, I think my computer hates me or something. It always get viruses all the time and i've been getting warnings from Avast AV about a Trojan/backdoor in my trying to get in. blah.

Anyway i ran a AVG Scan to see where they were comming from here it is:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:15:42 PM 1/2/2007

+ Scan result:

C:\System Volume Information\_restore{6D0ABD20-4477-4337-A720-347A5E92D674}\RP402\A0195646.dll -> Adware.Companion : deleted.
C:\System Volume Information\_restore{6D0ABD20-4477-4337-A720-347A5E92D674}\RP402\A0195647.dll -> Adware.WinAD : deleted.
C:\System Volume Information\_restore{6D0ABD20-4477-4337-A720-347A5E92D674}\RP402\A0195648.dll -> Adware.WurldMedia : deleted.
C:\System Volume Information\_restore{6D0ABD20-4477-4337-A720-347A5E92D674}\RP402\A0195649.exe -> Adware.ZenoSearch : deleted.
C:\System Volume Information\_restore{6D0ABD20-4477-4337-A720-347A5E92D674}\RP402\A0195650.exe -> Adware.ZenoSearch : deleted.
C:\System Volume Information\_restore{6D0ABD20-4477-4337-A720-347A5E92D674}\RP402\A0195651.exe -> Adware.ZenoSearch : deleted.
C:\Documents and Settings\john.GENARDONE\Local Settings\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\Cache\26A5D297d01/me-beast.exe -> Backdoor.Beastdoor.201.a : deleted.
C:\System Volume Information\_restore{6D0ABD20-4477-4337-A720-347A5E92D674}\RP402\A0195643.ocx -> Downloader.IstBar : deleted.
C:\Documents and Settings\john.GENARDONE\Local Settings\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\Cache\26A5D297d01/cmd.asp -> Downloader.Iwill.a : deleted.
C:\Documents and Settings\john.GENARDONE\Local Settings\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\Cache\26A5D297d01/cmd.txt -> Downloader.Iwill.b : deleted.
C:\System Volume Information\_restore{6D0ABD20-4477-4337-A720-347A5E92D674}\RP402\A0195644.exe -> Dropper.Agent.abb : deleted.
C:\Documents and Settings\john.GENARDONE\Local Settings\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\Cache\26A5D297d01/cmd.aspx -> Not-A-Virus.Exploit.HTML.CodeBaseExec : deleted.
:mozilla.66:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.2o7 : deleted.
:mozilla.67:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.2o7 : deleted.
:mozilla.36:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Advertising : deleted.
:mozilla.37:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Advertising : deleted.
:mozilla.38:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Advertising : deleted.
:mozilla.39:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Advertising : deleted.
:mozilla.62:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Atdmt : deleted.
:mozilla.53:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Casalemedia : deleted.
:mozilla.54:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Casalemedia : deleted.
:mozilla.55:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Casalemedia : deleted.
:mozilla.22:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Doubleclick : deleted.
:mozilla.51:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Fastclick : deleted.
:mozilla.52:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Fastclick : deleted.
:mozilla.56:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Mediaplex : deleted.
:mozilla.57:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Mediaplex : deleted.
:mozilla.18:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Trafficmp : deleted.
:mozilla.19:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Trafficmp : deleted.
:mozilla.20:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Trafficmp : deleted.
:mozilla.21:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Trafficmp : deleted.
:mozilla.23:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Trafficmp : deleted.
:mozilla.24:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Trafficmp : deleted.
:mozilla.25:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Trafficmp : deleted.
:mozilla.42:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Yieldmanager : deleted.
:mozilla.43:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Yieldmanager : deleted.
:mozilla.44:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Yieldmanager : deleted.
:mozilla.45:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Yieldmanager : deleted.
:mozilla.46:C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla\Firefox\Profiles\hvf8ao1m.default\cookies.txt -> TrackingCookie.Yieldmanager : deleted.
C:\System Volume Information\_restore{6D0ABD20-4477-4337-A720-347A5E92D674}\RP402\A0195645.vbs -> Trojan.Small : deleted.

::Report end

Heres my HJT incase you need it.

Logfile of HijackThis v1.99.1
Scan saved at 4:26:02 PM, on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\AOL\1128897297\ee\AOLSoftware.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\wEmail Removedexe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
c:\program files\common files\aol\1128897297\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1128897297\ee\aolsoftware.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\john.GENARDONE\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128897297\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortEmail Removedexe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [WinSSHD Activation State Checker] "C:\Program Files\Bitvise WinSSHD\WinsshdActStateCheck.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\Email RemovedEXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/229?cdebd562e107428da4af1da7a63b04a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/230?cdebd562e107428da4af1da7a63b04a
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128896977350
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinSSHD - Bitvise - C:\Program Files\Bitvise WinSSHD\WinSSHD.exe

I was just wondering if you could tell me if the viruses are gone and where there coming from( i already know where the tracking cookies are coming for, but i don't really know how to delete the traces it gives me) since the Backdoor viruse i have is really hard to tell if its gone or when it comes back. Thanks in Advance again

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #1 on:** January 02, 2007, 09:53:32 PM »

Sorry about not posting back to your other thread you had and do some final steps
Where is Avast finding this file?

Was it in the System Volume information folder? If so, your safe, just have to do some final steps

hie · « **Reply #2 on:** January 02, 2007, 10:04:31 PM »

I am not sure, most of the viruses like the Tracking Cookies where in my Mozzila Documents and Settings folder, but i remember seeing a few of the Trojans and Ad-ware viruses in my system folder, i can't remember the exact location of the traces thought, sorry.

Mod Ryan · « **Reply #3 on:** January 02, 2007, 10:22:07 PM »

Tracking cookies are nothing too hard to deal with, inless they are generated by the trojans you have,
in which case they can be little pests, if you'r in a pickle with the cookies, try downloading ad-adware, it's great and gets rid of most spyware.

hie · « **Reply #4 on:** January 02, 2007, 10:26:45 PM »

Yah i don't really care about the tracking cookies, its mostly the Trojan and Backdoor.beast that i am worried about.

guestolo · « **Reply #5 on:** January 02, 2007, 10:35:50 PM »

Can you try the following hie

Install
SpywareBlaster 3.5.1 by JavaCool

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Download [color=\"#FF0000\"]ATF-Cleaner[/color] by Atribune.
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Name it and click create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the 'More Options' tab
and click Cleanup under System Restore
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

Reboot your computer
It's normal for startup to be a bit slower after running ATF-Cleaner
Startup will increase after a couple reboots

Ensure Avast is totally updated and run a scan, see if it finds anything
I noticed you use to have McAfee's
I still see entries in your log related to it, did you totally uninstall it?

Mod Ryan · « **Reply #6 on:** January 02, 2007, 10:37:51 PM »

Hi,

Are there any numbers, or letter after the virus "backdoor.beast" is there a Z or some numbers?

Mod Ryan · « **Reply #7 on:** January 02, 2007, 10:44:23 PM »

Well, if you dont understand the beast and it's threats, here they are, i recommend u take this trojan very serious... and hopefully you will find a deletion method.

Trojan.Backdoor.Beast creates a server on the users computer that uses a Remote Administrative Tool (RAT) to create a backdoor through a Port into the computer. The unautherized user can then have access to anything on the computer. The unautherized user can record keystrokes/personal data, start/stop processes, rename files/applications, download/upload any file/malware, and can shutdown the computer. This is all done without the users consent or knowledge. There is no uninstall procedure for the Trojan.Backdoor.Beast program.

Records personal data / keystrokes
Allows remote influence
Downloads unsolicited files
Disables programs / system
Distributes threats
Installs without user consent
Inadequate uninstall procedures
Insufficient privacy disclosure and consent

Have u downloaded and run a .exe file, which may have contained this, or do you know of any malware coming through you'r port?

hie · « **Reply #8 on:** January 02, 2007, 11:03:19 PM »

I am kind of confused at the System Restore part. After i click Create a restore point and click next it tells me to write down a Restore point description. Do i just write down any name, or do i have to put down a time or something?
Sorry but i am just a little confused, thanks.

guestolo · « **Reply #9 on:** January 03, 2007, 12:48:48 AM »

Just type in a name for the restore point
Whatever you want to call it
call it guestolo if you want

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

The time and date will be added automatically

Mod Ryan · « **Reply #10 on:** January 03, 2007, 05:48:47 PM »

Questolo, he has an RAT just like i had.

hie · « **Reply #11 on:** January 04, 2007, 08:24:51 PM »

Ok i did everything like you ask without a problem, but i have one question. Does the spywareblaster thing you had me download a while stay in your toolbar, because when i ran it and closed it it doesn't appear on my toolbar or anything.
I also scanned my computer with Avast Scanner and it showed 9 viruses and i they where all deleted. I don't know how to save the scan log from Avast but i can show you the types of virses from my Log Viewer

the viruses were:
Win32:NcaseSpy [Trj](5 of them where found)
Win32:Trojan-gen. {Other}(one of them where found)
Win32:Trojan-gen. {UPX!}(2 of them where found)
Win32:Crypt-CC [Trj](1 of them where found)
Win32:Beastdoor-BL [Trj](1 of them where found)

I don't know how to Copy and Paste the Log viewer from iAvast so i can't give you the traces or where there coming from since the dir are very long and i can't figure out how to copy and paste it, Any suggestions?

Thanks again for you help.

guestolo · « **Reply #12 on:** January 04, 2007, 10:51:15 PM »

Try this
RIGHT CLICK the Avast icon by the clock
Select "Avast Log Viewer"
Select the "Warning" icon
Choose FILE>>Export current list

Save this list somewhere you can remember, such as the desktop
Give it a name, such as hie.txt

Come back here and copy>>paste the contents of hie.txt to a reply

hie · « **Reply #13 on:** January 04, 2007, 10:57:50 PM »

Ok thanks. Here it is;

1/3/2007 8:57:08 PM   john   4064   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\SYSTEM32\usb496.dat" file.
1/3/2007 8:55:55 PM   john   4064   Sign of "Win32:Crypt-CC [Trj]" has been found in "C:\WINDOWS\SYSTEM32\nsnA8.dll\[UPX]" file.
1/3/2007 6:51:58 PM   john   4064   Sign of "Win32:NcaseSpy [Trj]" has been found in "C:\Documents and Settings\michael\Local Settings\Temp\Del4D0.tmp" file.
1/3/2007 6:51:58 PM   john   4064   Sign of "Win32:NcaseSpy [Trj]" has been found in "C:\Documents and Settings\michael\Local Settings\Temp\Del4D1.tmp" file.
1/3/2007 6:51:58 PM   john   4064   Sign of "Win32:NcaseSpy [Trj]" has been found in "C:\Documents and Settings\michael\Local Settings\Temp\Del4D2.tmp" file.
1/3/2007 6:51:58 PM   john   4064   Sign of "Win32:NcaseSpy [Trj]" has been found in "C:\Documents and Settings\michael\Local Settings\Temp\Del4D3.tmp" file.
1/3/2007 6:51:52 PM   john   4064   Sign of "Win32:NcaseSpy [Trj]" has been found in "C:\Documents and Settings\michael\Local Settings\Temp\Del4CF.tmp" file.
1/3/2007 6:45:56 PM   john   4064   Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\Documents and Settings\john.GENARDONE\Shared\Adobe InDesign CS crack.zip\Adobe InDesign CS crack.msi\Cabs.w1.cab\Win32k.exe" file.
1/3/2007 6:20:26 PM   john   4064   Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\Documents and Settings\john.GENARDONE\Shared\Adobe InDesign CS crack\Adobe InDesign CS crack.msi\Cabs.w1.cab\Win32k.exe" file.
1/2/2007 8:33:43 AM   SYSTEM   1456   An error has occured while attempting to update. Please check the logs.
1/2/2007 8:33:42 AM   SYSTEM   1456   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
1/2/2007 4:19:26 AM   SYSTEM   1456   An error has occured while attempting to update. Please check the logs.
1/2/2007 4:19:25 AM   SYSTEM   1456   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
1/1/2007 10:17:09 PM   SYSTEM   1144   Sign of "Win32:Beastdoor-BL [Trj]" has been found in "http://www.geocities.com/protonigg3r/ie6-exedrop-asp-POC.zip\me-beast.exe" file.
12/28/2006 5:57:49 PM   SYSTEM   1144   An error has occured while attempting to update. Please check the logs.
12/28/2006 5:57:46 PM   SYSTEM   1144   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
12/28/2006 11:17:57 AM   SYSTEM   1144   An error has occured while attempting to update. Please check the logs.
12/28/2006 11:17:56 AM   SYSTEM   1144   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.

guestolo · « **Reply #14 on:** January 05, 2007, 12:29:17 AM »

I take it that all those files from that log were moved to Chest

Also, are you having any problems updating Avast?
Can you right click the Avast icon and select Update

hie · « **Reply #15 on:** January 05, 2007, 12:43:58 AM »

I am not sure if the viruses are in the Chest, but i did tell it to Delete all of them when i was scanning and my iavast is already up to date(i check for updates every week or so)

guestolo · « **Reply #16 on:** January 05, 2007, 12:49:48 AM »

Good work, can I just do one final checkup
I take it that ZoneAlarm is functioning properly?

I just want to check on other files that may be leftover
Download this file - Combofix.exe and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from Combofix

One Note:
I see this entry in your hijackthis log
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
Althought legit, did you uninstall it and it's a leftover?
I don't see it in your running processes

hie · « **Reply #17 on:** January 05, 2007, 02:33:32 PM »

Here my combo fix, and i un-install Proxyway and its dir(i think) those most be just left overs or something.

Combo fix:

john - 07-01-04 22:29:00.34 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\john.GENARDONE\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to 2007-01-04 ))))))))))))))))))))))))))))))))))

2007-01-02   19:46   <DIR>   d--------   C:\Program Files\SpywareBlaster
2006-12-28   18:16   <DIR>   d--------   C:\Program Files\QuickPar
2006-12-27   23:48   90,112   --a------   C:\WINDOWS\SYSTEM32\AVASTSS.scr
2006-12-27   23:48   87,424   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2006-12-27   23:48   85,952   --a--c---   C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2006-12-27   23:48   666,240   --a------   C:\WINDOWS\SYSTEM32\aswBoot.exe
2006-12-27   23:48   36,176   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2006-12-27   23:48   24,560   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2006-12-27   23:48   16,352   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2006-12-27   23:47   <DIR>   d--------   C:\Program Files\Alwil Software
2006-12-27   23:41   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2006-12-17   10:31   3,968   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-17   10:30   <DIR>   d--------   C:\Program Files\Grisoft
2006-12-11   18:02   <DIR>   d--------   C:\Program Files\Common Files\Java

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-04 21:39   --------   d--------   C:\Program Files\Mozilla Firefox
2007-01-03 21:51   --------   d--------   C:\Documents and Settings\john.GENARDONE\Application Data\Free Download Manager
2006-12-28 18:56   --------   d--------   C:\Program Files\Triggersoft
2006-12-27 23:38   --------   d--------   C:\Program Files\McAfee.com
2006-12-22 15:47   --------   d--------   C:\Program Files\AOL
2006-12-22 15:46   --------   d--------   C:\Documents and Settings\john.GENARDONE\Application Data\Mozilla
2006-12-20 15:46   --------   d--------   C:\Program Files\America Online 9.0a
2006-12-17 19:52   --------   d--------   C:\Program Files\Common Files\AOL
2006-12-17 12:55   --------   d--------   C:\Program Files\Common Files\Companion Wizard
2006-12-15 19:06   --------   d--------   C:\Program Files\Internet Explorer
2006-12-15 19:03   --------   d--------   C:\Program Files\Outlook Express
2006-12-15 19:03   --------   d--------   C:\Program Files\Common Files\System
2006-12-11 18:02   --------   d-a------   C:\Program Files\Common Files
2006-12-11 18:02   --------   d--------   C:\Program Files\Java
2006-12-11 17:52   --------   d--------   C:\Program Files\ewido anti-malware
2006-12-11 17:48   --------   d--------   C:\Program Files\Viewpoint
2006-12-06 22:40   2362184   --a------   C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-12-02 22:31   --------   d--------   C:\Program Files\Opera
2006-11-25 20:27   65536   --a--c---   C:\WINDOWS\IFinst27.exe
2006-11-25 19:02   --------   d--------   C:\Documents and Settings\john.GENARDONE\Application Data\Opera
2006-11-25 15:57   --------   d--------   C:\Program Files\Common Files\Microsoft Shared
2006-11-24 14:17   --------   d--------   C:\Program Files\WinRAR
2006-11-24 13:32   --------   d--------   C:\Documents and Settings\john.GENARDONE\Application Data\Yahoo!
2006-11-16 08:44   33592   --a--c---   C:\WINDOWS\SYSTEM32\DRIVERS\atwpkt264.sys
2006-11-16 08:44   25136   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\atwpkt2.sys
2006-11-16 08:44   103984   --a------   C:\WINDOWS\SYSTEM32\AOLDial.dll
2006-11-07 21:06   679424   --a--c---   C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-11-04 14:14   1245696   --a--c---   C:\WINDOWS\SYSTEM32\msxml4.dll
2006-10-19 05:56   713216   --a------   C:\WINDOWS\SYSTEM32\sxs.dll
2006-10-18 06:09   230454   --a--c---   C:\Documents and Settings\john.GENARDONE\Application Data\2.bmp
2006-10-18 06:09   230454   --a--c---   C:\Documents and Settings\john.GENARDONE\Application Data\1.bmp
2006-10-13 04:35   142336   --a--c---   C:\WINDOWS\SYSTEM32\nwprovau.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"Aim6"=""
"Free Download Manager"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"Nero PhotoShow Media Manager"="C:\\PROGRA~1\\Nero\\NEROPH~1\\data\\Xtras\\mssysmgr.exe"
"ProxyWay"="C:\\Program Files\\ProxyWay\\proxyway.exe"
"AOL Fast Start"="\"C:\\Program Files\\America Online 9.0a\\Email RemovedEXE\" -b"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1128897297\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcupdate.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortEmail Removedexe\" -Run"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Iomega Automatic Backup 1.0.1"="C:\\Program Files\\Iomega\\Iomega Automatic Backup\\ibackup.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"iPodManager"="C:\\Program Files\\iPod\\bin\\iPodManager.exe"
"LaunchList"="C:\\Program Files\\Pinnacle\\Studio 8\\LaunchList.exe"
"WinSSHD Activation State Checker"="\"C:\\Program Files\\Bitvise WinSSHD\\WinsshdActStateCheck.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000090

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (GENARDONE-dim).job
C:\WINDOWS\tasks\McAfee.com Update Check (GENARDONE-fabienne).job
C:\WINDOWS\tasks\McAfee.com Update Check (GENARDONE-john).job
C:\WINDOWS\tasks\McAfee.com Update Check (GENARDONE-michael).job
C:\WINDOWS\tasks\McAfee.com Update Check (GENARDONE-pierrick).job

Completion time: 07-01-04 22:35:03.82
C:\ComboFix.txt ... 07-01-04 22:35
C:\ComboFix2.txt ... 06-12-09 21:06

Also i don't think you answered this or not, but when i first ran Spyware blaster and install it, is it suppose to run and appear on your toolbar, because when i closed the spyware blaster window it doesn't appear on my toolbar screen.
Thanks again for your help. :-D

guestolo · « **Reply #18 on:** January 05, 2007, 03:49:21 PM »

Quote

Also i don't think you answered this or not, but when i first ran Spyware blaster and install it, is it suppose to run and appear on your toolbar, because when i closed the spyware blaster window it doesn't appear on my toolbar screen.

Actually, if you take a look at the first link I posted to the download location of SpywareBlaster
Here is a quote

Quote

And unlike other programs, SpywareBlaster does not have to remain running in the background.

so the answer in NO, it doesn't run in the toolbar
Be sure you check for updates and then click the Enable All Protections
+ In the SpywareBlaster program itself, if you click the ? mark
That will open the Help file, much info inside if needed

You can go ahead and delete Combofix.exe
Also delete the next files

C:\ComboFix.txt
C:\ComboFix2.txt

and folder
C:\sUBs if found

You can delete ATF-Cleaner.exe or hang onto it to help assist in removal of temp files, cookies, etc...

Do a "System scan only" with Hijackthis and put a check next to this entry
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer
Come back here and post one last hijackthis log

By the way, I asked you this earlier, I don't think you gave me a reply

Quote

I noticed you use to have McAfee's
I still see entries in your log related to it, did you totally uninstall it?

hie · « **Reply #19 on:** January 05, 2007, 05:03:11 PM »

Ok i deleted both of the Combofix.exe and i couldn't find the C:/sUBS folder, anyway heres my HJT.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 2:01:34 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1128897297\ee\AOLSoftware.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
c:\program files\common files\aol\1128897297\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1128897297\ee\aolsoftware.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\john.GENARDONE\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128897297\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortEmail Removedexe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [WinSSHD Activation State Checker] "C:\Program Files\Bitvise WinSSHD\WinsshdActStateCheck.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/229?cdebd562e107428da4af1da7a63b04a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/230?cdebd562e107428da4af1da7a63b04a
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab://http://by106fd.bay106.Email Removed...es/MsnPUpld.cab://http://by106fd.bay106.Email Removed...es/MsnPUpld.cab://http://by106fd.bay106.Email Removed...es/MsnPUpld.cab://http://by106fd.bay106.Email Removed...es/MsnPUpld.cab://http://by106fd.bay106.Email Removed...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128896977350
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinSSHD - Bitvise - C:\Program Files\Bitvise WinSSHD\WinSSHD.exe

And i only uninstall the McAfee's virus scan program, but i kept the firewall and set it to 'disable' just in case.

News:

Author Topic: Trojans, Adware, and HTML exploits. (Read 1418 times)