TrojanDownloader: Win32/Delf.fn

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

andy1983

Thread Starter
Joined
Jul 4, 2005
Messages
8
This is my first post here so hopefully I'm providing you with enough information.

I'm getting messages popping up from my toolbar telling me my computer is infected with spyware. On top of that, every 10 seconds or so a message pops up telling me that Windows Explorer has encountered a problem and needs to close and asks me if I want to send details to Microsoft. I keep hitting don't send and the screen will refresh. I looked at the error report that would be sent to microsoft and it mentioned something about TrojonDownloader: Win32/Delf.fn.

I'm using windows XP, and below are the results of the hijackthis scan. Thank you in advance.

========================================================
Logfile of HijackThis v1.99.1
Scan saved at 1:01:05 PM, on 5/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\intel32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andrew Jennings\Desktop\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://telstra.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp351D.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll (file missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll (file missing)
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Documents and Settings\Kathryn Jennings\My Documents\Autolaunch.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: LG SyncManager.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://telstra.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=20033170
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O20 - Winlogon Notify: style2 - C:\WINDOWS\q371173_disk.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 
Joined
Jul 26, 2002
Messages
46,349
Hi andy1983

Welcome to TSG! :)

* Go to Add/Remove programs and uninstall MyWebSearch and Viewpoint Manager.


* Click here to download smitRem.zip.
  • Save the file to your desktop.
  • Unzip smitRem.zip to extract the two files it contains.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


* Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.


* Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.


* Click Here and download Killbox and save it to your desktop.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp351D.tmp

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)

O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll (file missing)

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL (file missing)

O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b

O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe

O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/mini...b?rand=20033170

O20 - Winlogon Notify: style2 - C:\WINDOWS\q371173_disk.dll




* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\intel32.exe

C:\WINDOWS\q371173_disk.dll

C:\WINDOWS\System\WINSTART001.EXE


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.



* Run Ewido:
  • Click on scanner
  • Put a check by the following before you scan:
    • Binder
      [*]Crypter
      [*]Archives
  • Click the Start Scan button to start the scan.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop


* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan
 

andy1983

Thread Starter
Joined
Jul 4, 2005
Messages
8
I've done all of that and it appears to have worked. Problems I had during the process included:
  • I couldn't uninstall MyWebSearch. When trying to uninstall it I would get the message "Error loading c:\.... The specified module could not be found"
  • After running the RunThis.bat file the computer went blank and I had no icons on the screen so I had to restart the computer.
  • When using Killbox I received the message the the q371173_disk.dll file could not be deleted and the WINSTART001.EXE file could not be found.
  • And after running the ActiveScan it asked to restart my computer so I couldn't obtain any output to attach to this post.

That said, the problem of having the error message pop up every 10 seconds has stopped, but I still have an icon (red circle with a white exclamation mark inside) in the bottom right corner of the screen (next to the time) which says my computer is infected.

Thank you in advance.
====================================
Hijack this output:

Logfile of HijackThis v1.99.1
Scan saved at 5:12:33 PM, on 5/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\intel32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\OPLIMIT\ocrawr32.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andrew Jennings\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://telstra.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://telstra.com
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll (file missing)
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Documents and Settings\Kathryn Jennings\My Documents\Autolaunch.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: LG SyncManager.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://telstra.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O20 - Winlogon Notify: style2 - C:\WINDOWS\q371173_disk.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
 

andy1983

Thread Starter
Joined
Jul 4, 2005
Messages
8
Ewido output:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:37:23 PM, 5/07/2005
+ Report-Checksum: 1DB3DD08

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10} -> Spyware.eXact : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-1801674531-764733703-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\GAIN -> Spyware.Gator : Cleaned with backup
C:\WINDOWS\system32\crtv2_32.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL3.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL4.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL5.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL6.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL7.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL8.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system\Sleep.exe -> Trojan.VB.el : Cleaned with backup
C:\WINDOWS\system\appdl.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\q371173_disk.dll -> TrojanDownloader.Delf.pa : Cleaned with backup
C:\Documents and Settings\Andrew Jennings\Desktop\backups\backup-20050705-143812-189.dll -> Trojan.Puper.m : Cleaned with backup
C:\Documents and Settings\Andrew Jennings\Cookies\andrew [email protected][1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Andrew Jennings\Cookies\andrew [email protected][2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Andrew Jennings\Application Data\Mozilla\Profiles\default\cb3n7kig.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Andrew Jennings\Application Data\Mozilla\Profiles\default\cb3n7kig.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Andrew Jennings\Application Data\Mozilla\Profiles\default\cb3n7kig.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Andrew Jennings\Application Data\Mozilla\Profiles\default\cb3n7kig.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Kathryn Jennings\Local Settings\Temporary Internet Files\Content.IE5\UJMN2FUB\SmileyCentralInitialSetup1.0.0.8[1].cab/f3Setup1.exe -> TrojanDropper.FunWeb.a : Cleaned with backup
C:\Documents and Settings\Kathryn Jennings\Local Settings\Temporary Internet Files\Content.IE5\8PABW92N\exitpop[1].html -> Trojan.NoClose.i : Cleaned with backup
C:\Documents and Settings\Kathryn Jennings\Cookies\kathryn [email protected][1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Kathryn Jennings\Cookies\kathryn [email protected][1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Kathryn Jennings\Cookies\kathryn [email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay : Cleaned with backup
C:\Program Files\MSN Messenger\riched20.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE -> Spyware.Wesbar : Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\F3CJPEG.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\M3SKIN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE -> Spyware.Wesbar : Cleaned with backup
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP474\A0080103.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP475\A0080125.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP475\A0080144.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP476\A0080188.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP478\A0080206.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP478\A0080225.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP479\A0080249.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP479\A0080266.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP479\A0080279.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP480\A0080329.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP480\A0080344.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP480\A0080363.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP481\A0080387.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP481\A0080411.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP481\A0080435.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP482\A0080467.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP482\A0080481.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP483\A0080499.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP483\A0080539.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP485\A0080583.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP486\A0080619.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP486\A0080642.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP486\A0080669.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP486\A0080704.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP486\A0080741.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP486\A0080770.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP486\A0080786.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP486\A0080811.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP488\A0080852.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP489\A0080873.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP489\A0080894.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP489\A0080914.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP490\A0080951.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP490\A0080968.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP491\A0080990.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP491\A0081014.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP492\A0081039.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP492\A0081054.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP492\A0081076.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP492\A0081093.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP493\A0081134.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP493\A0081149.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP493\A0081178.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP494\A0081203.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP495\A0081245.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP496\A0081261.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP473\A0080066.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP473\A0080081.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP497\A0081280.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP497\A0081291.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP497\A0081316.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP497\A0081337.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP497\A0081348.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP498\A0081366.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP499\A0081403.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP499\A0081417.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP499\A0081429.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP499\A0081448.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083628.dll -> Adware.BrilliantDigital : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0081467.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0081491.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0081503.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0081516.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0081538.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0081555.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0082555.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0082576.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0082588.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083590.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083596.DLL -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083597.dll -> Spyware.eUniverse : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083599.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083602.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083604.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083611.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083612.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083615.exe -> TrojanDownloader.Keenval.e : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083625.exe -> TrojanDownloader.Keenval.f : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP500\A0083626.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083636.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083644.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083650.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083651.exe -> TrojanDownloader.Keenal : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083653.exe -> TrojanDownloader.Keenal : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083654.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083655.exe -> TrojanDownloader.Keenal : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083656.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083659.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083660.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083661.exe -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083663.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083669.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083670.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083671.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083672.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083674.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083675.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083676.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083677.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083681.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083682.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083683.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083689.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083855.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083856.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083865.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083866.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0083867.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084864.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084865.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084866.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084871.dll -> TrojanDownloader.Small.hr : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084872.dll -> TrojanDownloader.Small.hr : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084875.DLL -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084878.EXE -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084890.dll -> Spyware.Cydoor : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084896.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084897.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0085897.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0085898.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0085904.exe -> Not-A-Virus.Pornware.Downloader.Tibsystems.a : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0085912.exe -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0085913.exe -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0086897.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0086898.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0086917.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0086918.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0087916.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0087917.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0087934.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0087935.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0088934.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0088935.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089007.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089011.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089012.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089014.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089029.exe -> Trojan.Agent.ff : Cleaned with backup
C:\!Submit\intel32.exe -> Trojan.Agent.ff : Cleaned with backup
C:\!Submit\q371173_disk.dll -> TrojanDownloader.Delf.pa : Cleaned with backup


::Report End
 
Joined
Jul 26, 2002
Messages
46,349
* I am attaching a smitRembeta.zip file to this post.
  • Download it and save it to your desktop.
  • Unzip smitRembeta.zip to extract the four files it contains.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


  • Launch ewido and update it again.
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\intel32.exe

C:\WINDOWS\q371173_disk.dll


If Killbox tells you that the files do not exist, exit the killbox and continue on.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe

O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS

O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)

O20 - Winlogon Notify: style2 - C:\WINDOWS\q371173_disk.dll (file missing)



* Open the smitRembeta folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Delete this folder:

C:\Program files\MyWebSearch


* Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop


* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan
 

Attachments

andy1983

Thread Starter
Joined
Jul 4, 2005
Messages
8
I've done all of that and the computer appears to be working fine. See below for the requested reports. Let me know if there is still a problem but thank you very much for getting the computer working again.

Logfile of HijackThis v1.99.1
Scan saved at 2:33:25 PM, on 6/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\OPLIMIT\ocrawr32.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Andrew Jennings\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://telstra.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://telstra.com
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll (file missing)
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Documents and Settings\Kathryn Jennings\My Documents\Autolaunch.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://telstra.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
 

andy1983

Thread Starter
Joined
Jul 4, 2005
Messages
8
Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Adware:Adware/CWS No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/FunWeb No disinfected C:\Program Files\FunWebProducts
Adware:Adware/IGetNet No disinfected C:\WINDOWS\System\Rules.dat
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\online dating.url
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\System32\P2P Networking
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Black Jack Online.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/SpywareNo No disinfected Windows Registry
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\Andrew Jennings\Application Data\PSGuard.com
Adware:Adware/SpySheriff No disinfected Windows Registry
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\system32\f3pssavr.scr
Adware:Adware/IGetNet No disinfected C:\WINDOWS\system\rules.dat
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\uninstIU.exe
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Online Pharmacy.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Alprazolam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Carisoprodol.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Diazepam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Hydrocodone.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Lortab.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Prozac.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Valium.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Vicodin.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy\Xanax.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Take It Here - Free Porn TGP.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Network Security.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Spam Filters.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Online Dating.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Andrew Jennings\Favorites\Web Detective.url
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Andrew Jennings\.jpi_cache\jar\1.0\counter.jar-22500802-38e45190.zip[counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Andrew Jennings\.jpi_cache\jar\1.0\counter.jar-22500802-38e45190.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Andrew Jennings\.jpi_cache\jar\1.0\counter.jar-22500802-38e45190.zip[VerifierBug.class]
 

andy1983

Thread Starter
Joined
Jul 4, 2005
Messages
8
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:31:02 AM, 6/07/2005
+ Report-Checksum: 1D0DE5B

+ Scan result:

C:\Documents and Settings\Andrew Jennings\Cookies\andrew [email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089035.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089036.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089037.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089038.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089039.exe -> Trojan.VB.el : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089040.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089041.dll -> Trojan.Puper.m : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089042.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089043.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089044.EXE -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089045.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089046.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089047.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089032.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089033.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089034.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089048.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089049.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089050.EXE -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089051.DLL -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089052.exe -> Trojan.Agent.ff : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089053.dll -> TrojanDownloader.Delf.pa : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089225.dll -> TrojanDownloader.Delf.pa : Cleaned with backup
C:\System Volume Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089284.exe -> Trojan.Agent.ff : Cleaned with backup


::Report End
 
Joined
Jul 26, 2002
Messages
46,349
* Click Here and download Killbox and save it to your desktop.


* Copy these instructions to notepad and save them to your desktop.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System\Rules.dat

C:\WINDOWS\smdat32a.sys

C:\Documents and Settings\Andrew Jennings\Application Data\PSGuard.com

C:\WINDOWS\system32\f3pssavr.scr

C:\WINDOWS\smdat32m.sys

C:\WINDOWS\uninstIU.exe


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


* Delete these folders:

C:\Program Files\FunWebProducts
C:\Program Files\MySearch
C:\Program Files\Common Files\Totem Shared
C:\WINDOWS\System32\P2P Networking


* Delete these folders from your favorites:

Online Gambling
Online Pharmacy



* Delete these links from your favorites:

Black Jack Online
online dating
Remove Spyware
Home Loan
Online Pharmacy
Take It Here - Free Porn TGP
Online Gambling
Network Security
Spam Filters
Online Dating
Web Detective



* Restart back into Windows normally now.


* Go here and download Ad-Aware SE.
  • Install the program and launch it.
  • First in the main window look in the bottom right corner and click on Check for updates now
  • Click Connect and download the latest reference files.
  • From main window click Start then under Select a scan Mode tick Perform full system scan.
  • Next deselect Search for negligible risk entries.
  • Now to scan just click the Next button.
  • When the scan is finished mark everything for removal and get rid of it.
  • Right-click the window and choose select all from the drop down menu and click Next
  • Restart your computer.



* Go here and download Microsoft Antispyware Beta.
  • Install the program and launch it.
  • First in the top menu click File then Check for updates to download the definitons updates.
  • After updating look in the right side of the main window under "Run Quick Scan Now" and click Spyware scan options.
  • Put a tick by Run a full system scan and then put a check by all three options below that
  • Click Run Scan now.
  • When the scan is finished, let it fix anything that it finds
  • Have it quarantine the items that have that option rather than delete just in case.
  • Restart your computer.


* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

Post a new HiJackThis log along with the report from the Housecall scan
 

andy1983

Thread Starter
Joined
Jul 4, 2005
Messages
8
Logfile of HijackThis v1.99.1
Scan saved at 2:27:25 PM, on 7/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andrew Jennings\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://telstra.com
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll (file missing)
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Documents and Settings\Kathryn Jennings\My Documents\Autolaunch.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://telstra.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F3B9BAE-CA46-4C49-BC56-53F1FFC07529}: NameServer = 139.134.5.51,139.134.2.190
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

============
Trend Micro Housecall Virus Scan0 virus cleaned, 3 viruses deleted


Results:
We have detected 3 infected file(s) with 3 virus(es) on your
computer. Only 0 out of 0 infected files are displayed:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 3 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken
C:\System Volume
Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084881.exeTROJ_SUBSEARCH.IDeletion
successful
C:\System Volume
Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0084888.exeTROJ_SUBSEARCH.IDeletion
successful
C:\System Volume
Information\_restore{FE705290-226E-4DA0-B828-0D51D50DAF5F}\RP501\A0089235.dllTROJ_PMS.3Deletion
successful




Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed: - 0 worm(s)/Trojan(s) passed, 0
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s)
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken




Spyware Check1 spyware program removed

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 5 spyware(s) on your computer. Only 0 out of
0 spywares are displayed: - 4 spyware(s) passed, 0
spyware(s) no action available
- 1 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
COOKIE_45CookiePass
COOKIE_225CookiePass
COOKIE_1020CookiePass
COOKIE_1543CookiePass
SPYW_EXCTSEAR.ASpywareRemoval successful




Microsoft Vulnerability Check15 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 15 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
CriticalThis vulnerability allows a remote
attacker to conduct unauthorized activities via
the Show Me function in Office Help, since Office
2000 UA ActiveX Control is marked as safe for
scripting. MS00-034
CriticalThis vulnerability allows attackers to
execute macros without user warning. It is done by
linking a Rich Text Format document to a template
that contains an embedded macro. MS01-028
Highly CriticalThis vulnerability enables local
users to execute arbitrary code through an RPC
call. This is caused by a buffer overflow in the
RPC Locator service for Windows NT 4.0, Windows NT
4.0 Terminal Server Edition, Windows 2000, and
Windows XP. MS03-001
ModerateThis is a denial of service (DoS)
vulnerability. It affects applications that
implement the IDirectPlay4 Application Programming
Interface (API) of Microsoft DirectPlay.
Applications that use this API are typically
network-based multiplayer games.;An attacker who
successfully exploits this vulnerability could
cause the DirectX application to fail while a user
is playing a game. The affected user would then
have to restart the application. MS04-016
ModerateA denial of service (DoS) vulnerability
exists in Outlook Express that could cause the
said program to fail. The malformed email should
be removed before restarting Outlook Express in
order to regain its normal operation. MS04-018
CriticalThis vulnerability lies in an unchecked
buffer within the Task Scheduler component. When
exploited, it allows the attacker to execute
arbitrary code on the affected machine with the
same privileges as the currently logged on user.
MS04-022
CriticalAn attacker who successfully exploits this
vulnerability could gain the same privileges as
that of the currently logged on user. If the user
is logged in with administrative privileges, the
attacker could take complete control of the
system. User accounts with fewer privileges are at
less risk than users with administrative
privileges. MS04-023
CriticalThe Navigation Method Cross-Domain
Vulnerability is a remote execution vulnerability
that exists in Internet Explorer because of the
way that it handles navigation methods. An
attacker could exploit this vulnerability by
constructing a malicious Web page that could
potentially allow remote code execution if a user
visits a malicious Web site.;The Malformed BMP
File Buffer Overrun Vulnerability exists in the
processing of BMP image file formats that could
allow remote code execution on an affected
system.;The Malformed GIF File Double Free
Vulnerability is a buffer overrun vulnerability
that exists in the processing of GIF image file
formats that could allow remote code execution on
an affected system. MS04-025
CriticalThis vulnerability lies in the way the
affected components process JPEG image files. An
unchecked buffer within this process is the cause
of the vulnerability.;This remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. The malicious user
or malware can execute arbitrary code on the
system giving them the ability to install or run
programs and view or edit data with full
privileges. Thus, this vulnerability can
conceivably be used by a malware for replication
purposes. MS04-028
ImportantAn unchecked buffer exists in the NetDDE
services that could allow remote code execution.
An attacker who is able to successfully exploit
this vulnerability is capable of gaining complete
control over an affected system. However, the
NetDDe services are not automatically executed,
and so would then have to be manually started for
an attacker to exploit this vulnerability. This
vulnerability also allows attackers to perform a
local elevation of privilege, or a remote denial
of service (DoS) attack. MS04-031
CriticalThis cumulative release from Microsoft
covers four newly discovered vulnerabilities:
Windows Management Vulnerability, Virtual DOS
Machine Vulnerability, Graphics Rendering Engine
Vulnerability, and Windows Kernel Vulnerability.
MS04-032
CriticalThis is another privately reported
vulnerability about Windows Compressed Folders.
There is vulnerability on the way that Windows
processes Compressed (Zipped) Folders that could
lead to remote code execution. Windows can not
properly handle the extraction of the ZIP folder
with a very long file name. Opening a specially
crafted compressed file, a stack-based overflow
occurs, enabling the remote user to execute
arbitrary code. MS04-034
CriticalThis security bulletin focuses on the
following vulnerabilities: Shell Vulnerability
(CAN-2004-0214), and Program Group Converter
Vulnerability (CAN-2004-0572). Shell vulnerability
exists on the way Windows Shell launches
applications that could enable remote malicious
user or malware to execute arbitrary code.
Windows Shell function does not properly check the
length of the message before copying to the
allocated buffer. Program Group Converter is an
application used to convert Program Manager Group
files that were produced in Windows 3.1, Windows
3.11, Windows for Workgroups 3.1, and Windows for
Workgroups 3.11 so that they can still be used by
later operating systems. The vulnerability lies in
an unchecked buffer within the Group Converter
Utility. MS04-037
CriticalThis is a remote code execution
vulnerability that exists in the Internet
Explorer. It allows remote code execution on an
affected system. An attacker could exploit this
vulnerability by constructing a malicious Web
Page. The said routine could allow remote code
execution if a user visited a malicious Web site.
An attacker who successfully exploited this
vulnerability could take complete control of an
affected system. However, significant user
interaction is required to exploit this
vulnerability. MS04-038
CriticalA remote code execution vulnerability
exists in MSN Messenger that could allow an
attacker who successfully exploited this
vulnerable to take complete control of the
affected system. MS05-022
 
Joined
Jul 26, 2002
Messages
46,349
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing) (HKCU)


Restart your computer.


IMPORTANT!: I see that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both ASAP!. See this thread for some good free ones.


IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates IMMEDITELY!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top