Logfile of HijackThis v1.99.1
Scan saved at 10:21:54, on 13/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.packardbell.co.uk/center
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
www.packardbell.co.uk/center
O1 - Hosts: 127.0.0.3
www.vparivalka.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3
www.iframeprofit.com
O1 - Hosts: 127.0.0.3 topsearch10.com
O1 - Hosts: 127.0.0.3
www.topsearch10.com
O1 - Hosts: 127.0.0.3 statscash.biz
O1 - Hosts: 127.0.0.3
www.statscash.biz
O1 - Hosts: 127.0.0.3 vxiframe.biz
O1 - Hosts: 127.0.0.3
www.vxiframe.biz
O1 - Hosts: 127.0.0.3 crazy-toolbar.com
O1 - Hosts: 127.0.0.3
www.crazy-toolbar.com
O1 - Hosts: 127.0.0.3 topcash.biz
O1 - Hosts: 127.0.0.3
www.topcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3
www.loadcash.biz
O1 - Hosts: 127.0.0.3 txiframe.biz
O1 - Hosts: 127.0.0.3
www.txiframe.biz
O1 - Hosts: 127.0.0.3 procounter.biz
O1 - Hosts: 127.0.0.3
www.procounter.biz
O1 - Hosts: 127.0.0.3 advadmin.biz
O1 - Hosts: 127.0.0.3
www.advadmin.biz
O1 - Hosts: 127.0.0.3 trafficbest.net
O1 - Hosts: 127.0.0.3
www.trafficbest.net
O1 - Hosts: 127.0.0.3 besthvac.com
O1 - Hosts: 127.0.0.3
www.besthvac.com
O1 - Hosts: 127.0.0.3 traff4.com
O1 - Hosts: 127.0.0.3
www.traff4.com
O1 - Hosts: 127.0.0.3 ambush-script.com
O1 - Hosts: 127.0.0.3
www.ambush-script.com127.0.0.1 www.trendmicro.com
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft
Works\WkDetect.exe
O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = C:\Program
Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} -
C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -
http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?
1133805252280
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?
1133805237202
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1
\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32
\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-
malware\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH -
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 13, 2006 10:19:23
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 13/01/2006
Kaspersky Anti-Virus database records: 160474
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
Q:\
R:\
Scan Statistics:
Total number of scanned objects: 61903
Number of viruses found: 8
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 2759 sec
Infected Object Name - Virus Name
C:\Program Files\Norton SystemWorks(2)\Norton AntiVirus\Quarantine\33A143CB.tmp Infected: Trojan-Clicker.Win32.Spywad.h
C:\Program Files\Norton SystemWorks(2)\Norton AntiVirus\Quarantine\33A56DC7.tmp Infected: Trojan-Clicker.Win32.Spywad.h
C:\Program Files\Norton SystemWorks(2)\Norton AntiVirus\Quarantine\33A817C4.txt Infected: Net-Worm.Win32.Small.e
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP119\A0066312.old:ebmmi:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078525.exe Infected: Trojan-Downloader.Win32.Zlob.eq
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078527.exe Infected: Trojan-Downloader.Win32.Zlob.ep
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079671.exe Infected: Trojan-Downloader.Win32.Zlob.eq
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079672.exe Infected: Trojan-Downloader.Win32.Zlob.ep
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079687.exe Infected: Trojan-Downloader.Win32.Zlob.en
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP67\A0017303.exe Infected: Trojan-Dropper.Win32.Agent.py
C:\WINDOWS\system32\drivers\etc\hosts.20050912-012748.backup Infected: Trojan.Win32.Qhost.k
C:\WINDOWS\system32\drivers\etc\hosts.20050912-012754.backup Infected: Trojan.Win32.Qhost.k
C:\WINDOWS\system32\drivers\etc\hosts.20051227-021413.backup Infected: Trojan.Win32.Qhost.k
Scan process completed.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 09:09:52, 13/01/2006
+ Report-Checksum: 53B7DB65
+ Scan result:
C:\!KillBox\mssearchnet.exe -> Downloader.Zlob.dy : Cleaned with backup
C:\Documents and Settings\Gray\Cookies\gray@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Gray\Cookies\gray@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Gray\Local Settings\Temporary Internet Files\Content.IE5\SH6BGXYJ\gdnFR2218[1].exe -> Downloader.Small.ayl : Cleaned with backup
C:\ms32.tmp -> Downloader.WinShow.be : Cleaned with backup
C:\OEMCUST\TOOLS\WIN32\PSKILL.EXE -> Not-A-Virus.NetTool.Win32.PsKill : Cleaned with backup
C:\Program Files\Need2Find -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\N2FFXTBR.JAR -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\N2NTSTBR.JAR -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\PARTNER.DAT -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache\00DA6DD8 -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache\00DA71C0 -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History\search -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings\prevcfg.htm -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\RXToolBar -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache(2) -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache(2)\UALEXAby15fd_bay15_hotmail_msn_com -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\CacheCatolog.rx -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\additional.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\additional_active.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\background.jpg -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\blue_hr_horz.GIF -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\gray_hr_horz.GIF -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\thumbtack.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\thumbtack_active.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\thumbtack_click.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\HTML -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\HTML\content.htm -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\HTML\main.htm -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\sfcont.bin -> Spyware.RXToolbar : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078456.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078457.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078460.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078524.exe -> Downloader.Zlob.dy : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0078622.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0078637.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079663.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079665.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079668.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079669.exe -> Downloader.Zlob.dy : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP85\A0029948.EXE -> Not-A-Virus.NetTool.Win32.PsKill : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> Downloader.WebP2PInstaller : Cleaned with backup
::Report End
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: 13/01/2006
The current time is: 3:46:45.17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
SpywareStrike
P.S.Guard
~~~ Shortcuts ~~~
Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url
Online Security Center.url
Install.dat
~~~ Favorites ~~~
Antivirus Test Online.url
~~~ system32 folder ~~~
wiatwain.dll
_plastilin_
perflibs__
1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp
logfiles
~~~ Icons in System32 ~~~
ts.ico
ot.ico
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003
Craig.Peacock@beyondlogic.org
Killing PID 772 'explorer.exe'
Killing PID 772 'explorer.exe'
Starting registry repairs
Deleting files
Remaining Post-run Files
~~~ Program Files ~~~
SpywareStrike
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
Here are the results of all the scans that you requested. The virus scan has confirmed my suspicion that I had been infected. Some information on how to fix all the problems would be appreciated.
Thanks.