vapzhq.exe Trojan Horse

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.
C

CG59runner

Thread Starter
Joined
Apr 16, 2005
Messages
93
I am trying to help my Mom on her PC with this trojan. NAV popped up and I tried to repair...no...tried to quarantine...no....tried to delete...no...I did DL Ad Aware and deleted alot of junk. Should I try deleting the trojan in Safe mode? She is running Win XP. If I do any kind of search I can't even locate any info about this trojan. Even thru Symantec??? Ad Aware did take this vapzhq off the start-up...not sure where to go from here...any help is really appreciated...CG
 
HammerHead68

HammerHead68

Joined
Jun 3, 2005
Messages
319
I would suggest downloading Spybot S&D as well. Install it, update it and run a scan. Let it fix everything it finds. When that is finished, reboot, and then download HijackThis. Let it install to the default location. Navigate to C:\Program Files\HijackThis and run hijackthis.exe. Do a system scan and save a log file. Post the contents of the log file here as reply. After you post your log, DO NOT REBOOT until instructed to do so by myself or another HijackThis expert. DO NOT ATTEMPT TO FIX ANYTHING USING HIJACKTHIS WITHOUT THE DIRECTION OF MYSELF OR ANOTHER HJT EXPERT. Most of the stuff in the log is either harmless or necessary.

Both of the programs I mentioned are available at the bottom of this message, just below my signature.
 
Flrman1

Flrman1

Joined
Jul 26, 2002
Messages
46,353
Hi CG59runner

Welcome to TSG! :)

Please do this:

First create a permanent folder somewhere like in My Documents and name it Hijack This.

Now Click here to download Hijack This. Download it and click "Save". Save it to the Hijack This folder you just created.

Click on Hijackthis.exe to launch the program. Click on the Do a system scan and save a logfile button. It will scan and then ask you to save the log. Click "Save" to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 
C

CG59runner

Thread Starter
Joined
Apr 16, 2005
Messages
93
Thanks you guys... :) I figured you'd say to DL Hijack! I will do that tomorrow on my Mom's PC and post the info back here...:)...CG
 
C

CG59runner

Thread Starter
Joined
Apr 16, 2005
Messages
93
I DL Spybot S&D. It didn't find anything! Here is the log from Hijack. Thanks for your help...CG

Logfile of HijackThis v1.99.1
Scan saved at 4:51:46 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Gwen\My Documents\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gxnu] C:\WINDOWS\System32\gxnu.exe
O4 - HKLM\..\Run: [oomkhzc] c:\windows\system32\stanbh.exe r
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC2225D4-3B36-4089-B553-F8C4326F0D47}: NameServer = 205.188.146.145
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Flrman1

Flrman1

Joined
Jul 26, 2002
Messages
46,353
* Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.


* Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.



* Also Click here to download Nailfix.zip.
Unzip it to the desktop but please do NOT run it yet.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.


* Now run Ewido:
  • Click on scanner
  • Put a check by the following before you scan:
    • Binder
      [*]Crypter
      [*]Archives
  • Click the Start Scan button to start the scan.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop



* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Restart back into Windows normally now.


* Come back here and post a new HijackThis log, as well as the log from the Ewido scan.
 
C

CG59runner

Thread Starter
Joined
Apr 16, 2005
Messages
93
Thanks for your time flrman1. I'll be busy tomorrow! I don't think my Mom has a zip program to unzip files but I'll DL one too. I'll post back what you asked tomorrow...CG
 
Flrman1

Flrman1

Joined
Jul 26, 2002
Messages
46,353
(y)

Also do this:

Download DelDomains.inf from here.

Rightclick DelDomains.inf and choose install.
 
C

CG59runner

Thread Starter
Joined
Apr 16, 2005
Messages
93
Here are the logs flrman1...thanks again for your help..CG:

Logfile of HijackThis v1.99.1
Scan saved at 4:31:30 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Gwen\My Documents\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119744558281
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:25:12 PM, 6/26/2005
+ Report-Checksum: DC12F84A

+ Date of database: 6/26/2005
+ Version of scan engine: v3.0

+ Duration: 74 min
+ Scanned Files: 220835
+ Speed: 49.58 Files/Second
+ Infected files: 145
+ Removed files: 29
+ Files put in quarantine: 29
+ Files that could not be opened: 0
+ Files that could not be cleaned: 116

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
C:\
C:\
C:\
C:\

+ Scan result:
C:\Documents and Settings\Gwen\Cookies\gwen@66406216[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@ads18.bpath[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@dcsew60m1oifwznbkznc6j9ix_5x7j[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@stats.klsoft[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Gwen\installer_MARKETING35.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\abiuninst[1].exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\8LG5UN4L\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Documents and Settings\Gwen\SSK3_B5 Verticlick 8.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\kbfuujoxcn.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\epx30104.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\epx30105.exe -> TrojanDownloader.Lastad.p -> Cleaned with backup
C:\WINDOWS\system32\gxnu.exe -> TrojanDownloader.Lastad.p -> Cleaned with backup
C:\WINDOWS\system32\gxnuaeg05.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\qobrxa.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\system32\wzpjdha.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\Documents and Settings\Gwen\Cookies\gwen@66406216[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@ads18.bpath[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@burstnet[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@dcsew60m1oifwznbkznc6j9ix_5x7j[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@stats.klsoft[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\installer_MARKETING35.exe -> TrojanDownloader.Adload.a -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\abiuninst[1].exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\Poller[1].exe -> Trojan.Agent.cp -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\svcproc[1].exe -> Trojan.Stervis.c -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\8LG5UN4L\Nail[1].exe -> Trojan.Nail -> Error during cleaning
C:\Documents and Settings\Gwen\SSK3_B5 Verticlick 8.exe -> TrojanDropper.Small.qn -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\kbfuujoxcn.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\epx30104.exe -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\WINDOWS\system32\epx30105.exe -> TrojanDownloader.Lastad.p -> Error during cleaning
C:\WINDOWS\system32\gxnu.exe -> TrojanDownloader.Lastad.p -> Error during cleaning
C:\WINDOWS\system32\gxnuaeg05.dll -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\WINDOWS\system32\qobrxa.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\system32\wzpjdha.exe -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@66406216[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@ads18.bpath[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@burstnet[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@dcsew60m1oifwznbkznc6j9ix_5x7j[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@stats.klsoft[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\installer_MARKETING35.exe -> TrojanDownloader.Adload.a -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\abiuninst[1].exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\Poller[1].exe -> Trojan.Agent.cp -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\svcproc[1].exe -> Trojan.Stervis.c -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\8LG5UN4L\Nail[1].exe -> Trojan.Nail -> Error during cleaning
C:\Documents and Settings\Gwen\SSK3_B5 Verticlick 8.exe -> TrojanDropper.Small.qn -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\kbfuujoxcn.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\epx30104.exe -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\WINDOWS\system32\epx30105.exe -> TrojanDownloader.Lastad.p -> Error during cleaning
C:\WINDOWS\system32\gxnu.exe -> TrojanDownloader.Lastad.p -> Error during cleaning
C:\WINDOWS\system32\gxnuaeg05.dll -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\WINDOWS\system32\qobrxa.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\system32\wzpjdha.exe -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@66406216[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@ads18.bpath[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@burstnet[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@dcsew60m1oifwznbkznc6j9ix_5x7j[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@stats.klsoft[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\installer_MARKETING35.exe -> TrojanDownloader.Adload.a -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\abiuninst[1].exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\Poller[1].exe -> Trojan.Agent.cp -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\svcproc[1].exe -> Trojan.Stervis.c -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\8LG5UN4L\Nail[1].exe -> Trojan.Nail -> Error during cleaning
C:\Documents and Settings\Gwen\SSK3_B5 Verticlick 8.exe -> TrojanDropper.Small.qn -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\kbfuujoxcn.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\epx30104.exe -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\WINDOWS\system32\epx30105.exe -> TrojanDownloader.Lastad.p -> Error during cleaning
C:\WINDOWS\system32\gxnu.exe -> TrojanDownloader.Lastad.p -> Error during cleaning
C:\WINDOWS\system32\gxnuaeg05.dll -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\WINDOWS\system32\qobrxa.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\system32\wzpjdha.exe -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@66406216[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@ads18.bpath[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@burstnet[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@dcsew60m1oifwznbkznc6j9ix_5x7j[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@stats.klsoft[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\Cookies\gwen@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Gwen\installer_MARKETING35.exe -> TrojanDownloader.Adload.a -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\abiuninst[1].exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\Poller[1].exe -> Trojan.Agent.cp -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\7V9JVD4W\svcproc[1].exe -> Trojan.Stervis.c -> Error during cleaning
C:\Documents and Settings\Gwen\Local Settings\Temporary Internet Files\Content.IE5\8LG5UN4L\Nail[1].exe -> Trojan.Nail -> Error during cleaning
C:\Documents and Settings\Gwen\SSK3_B5 Verticlick 8.exe -> TrojanDropper.Small.qn -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\kbfuujoxcn.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\epx30104.exe -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\WINDOWS\system32\epx30105.exe -> TrojanDownloader.Lastad.p -> Error during cleaning
C:\WINDOWS\system32\gxnu.exe -> TrojanDownloader.Lastad.p -> Error during cleaning
C:\WINDOWS\system32\gxnuaeg05.dll -> TrojanDownloader.Lastad.h -> Error during cleaning
C:\WINDOWS\system32\qobrxa.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta -> Error during cleaning
C:\WINDOWS\system32\wzpjdha.exe -> TrojanDownloader.Lastad.h -> Error during cleaning


::Report End
 
Flrman1

Flrman1

Joined
Jul 26, 2002
Messages
46,353
* Download DelDomains.inf from here.

Rightclick DelDomains.inf and choose install.

Restart your computer.


* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

Post a new HiJackThis log along with the report from the Housecall scan
 
C

CG59runner

Thread Starter
Joined
Apr 16, 2005
Messages
93
I did install the DelDomains.inf file. I also ran the Housecall scan. But it froze before the recovery. It found no, trojans. worms or viruses. 2 spywares were found and 43 vulnerabilities. I think the vulnerabilities were from the fact my Mom has not updated Windows in some time... :mad: I had also run a NAV scan and nothing came up like the trojan had before.. :) . So, I guess I should run the Housecall scan again? Took well over and hour. Thank you..I am glad the trojan is gone...CG
 
C

CG59runner

Thread Starter
Joined
Apr 16, 2005
Messages
93
Housecall worked this time!..Have to break up the logs too many characters....rCG:

Trend Micro Housecall Virus Scan0 virus cleaned, 0 virus deleted


Results:
We have detected 0 infected file(s) with 0 virus(es) on your
computer. Only 0 out of 0 infected files are displayed:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken




Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed: - 0 worm(s)/Trojan(s) passed, 0
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s)
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken




Spyware Check3 spyware programs removed

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 3 spyware(s) on your computer. Only 0 out of
0 spywares are displayed: - 0 spyware(s) passed, 0
spyware(s) no action available
- 3 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
COOKIE_650CookieRemoval successful
COOKIE_878CookieRemoval successful
COOKIE_1020CookieRemoval successful




Microsoft Vulnerability Check43 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 43 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
Highly CriticalThis vulnerability enables local
users to execute arbitrary code through an RPC
call. This is caused by a buffer overflow in the
RPC Locator service for Windows NT 4.0, Windows NT
4.0 Terminal Server Edition, Windows 2000, and
Windows XP. MS03-001
Highly CriticalThis vulnerability enables a remote
attacker to execute arbitrary code through a
WebDAV request to IIS 5.0. This is caused by a
buffer overflow in NTDLL.DLL on Windows NT 4.0,
Windows NT 4.0 Terminal Server Edition, Windows
2000, and Windows XP. MS03-007
Highly CriticalThis vulnerability enables a remote
attacker to execute any file that can be rendered
as text, and be opened as part of a page in
Internet Explorer. MS03-014
CriticalThis vulnerability enables a remote
attacker to cause a denial of service and execute
arbitrary code through a specially formed web page
or HTML e-mail. This is caused by a flaw in the
way the HTML converter for Microsoft Windows
handles a conversion request during a
cut-and-paste operation. MS03-023
CriticalThis vulnerability could allow a remote
attacker to execute arbitrary code via a malformed
RPC request with a long filename parameter. This
is caused by a heap-based buffer overflow found in
the Distributed Component Object Model (DCOM)
interface in the RPCSS Service.;This vulnerability
could allow a remote attacker to cause a denial of
service attack, which could allow local attackers
to gain privileges via certain messages sent to
the __RemoteGetClassObject interface.;This
vulnerability could allow a remote attacker to
execute arbitrary code via a malformed activation
request packet with modified length fields. This
is caused by a heap-based buffer overflow in the
Distributed Component Object Model (DCOM)
interface in the RPCSS Service.;This vulnerability
could allow a remote attacker to cause a denial of
service attack. This is caused by two threads
processing the same RPC request, which will lead
to its using memory after it has been freed.;This
vulnerability could allow a remote attacker to
cause a denial of service attack via a queue
registration request. This is caused by a buffer
overflow in the Microsoft Message Queue Manager.
MS03-039
CriticalThis vulnerability allows a remote
attacker to execute arbitrary code without user
approval. This is caused by the authenticode
capability in Microsoft Windows NT through Server
2003 not prompting the user to download and
install ActiveX controls when system is low on
memory. MS03-041
CriticalThis vulnerability allows a remote
attacker to execute arbitrary code on the affected
system. This is caused of a buffer overflow in the
Messenger Service for Windows NT through Server
2003. MS03-043
ImportantThis vulnerability is due to a buffer
overrun in the ListBox and ComboBox controls found
in User32.dll. Any program that implements the
ListBox control or the ComboBox control could
allow arbitrary code to be executed at the same
privilege level. This vulnerability cannot be
exploited remotely. MS03-045
CriticalThis vulnerability could allow an attacker
to access information from other Web sites, access
files on a user's system, and run arbitrary code
on a user's system, wherein this is executed under
the security context of the currently logged on
user.;This vulnerability could allow an attacker
to save a file on the users system. This is due to
dynamic HTML events related to the drag-and-drop
of Internet Explorer.;This vulnerability, which is
due to the incorrect parsing of URLs which contain
special characters, could allow an attacker to
trick a user by presenting one URL in the address
bar, wherein it actually contains the content of
another web site of the attackers choice.
MS04-004
Highly CriticalThe LSASS vulnerability is a buffer
overrun vulnerability allows remote code
execution.;The LDAP vulnerability is a denial of
service (DoS) vulnerability that causes the
service in a Windows 2000 domain controller
responsible for authenticating users in an Active
Directory domain to stop responding.;The PCT
vulnerability is a buffer overrun vulnerability in
the Private Communications Transport (PCT)
protocol, a part of the SSL library, that allows
remote code execution.;The Winlogon vulnerability
is a buffer overrun vulnerability in the Windows
logon process (winlogon) that allows remote code
execution.;The Metafile vulnerability is a buffer
overrun vulnerability that exists in the rendering
of Windows Metafile (WMF) and Enhanced Metafile
(EMF) image formats.;The Help and Support Center
vulnerability allows remote code execution and is
due to the way Help and Support Center handles HCP
URL validation.;The Utility Manager vulnerability
is a privilege elevation vulnerability that exists
due to the way that Utility Manager launches
applications.;The Windows Management vulnerability
is a privilege elevation vulnerability that when
successfully exploited allows a local attacker to
take complete control of a system by executing
commands at the system privilege level.;The Local
Descriptor Table vulnerability is a privilege
elevation vulnerability that when successfully
exploited allows a local attacker to take complete
control of a system by executing commands at with
system privileges.;The H.323 vulnerability is a
buffer overrun vulnerability that when
successfully exploited can allows attackers to
gain full control of a system by arbitrarily
executing commands with system privileges.;Virtual
DOS Machine vulnerability is a privilege elevation
vulnerability that when successfully exploited
allows a local attacker to gain full control of a
system by executing commands with system
privileges.;The Negotiate SSP vulnerability is a
buffer overrun vulnerability that exists in
Microsoft's Negotiate Security Service Provider
(SSP) interface and allows remote code
execution.;The SSL vulnerability exists due to the
way SSL packets are handled and can causes the
affected systems to stop responding to SSL
connection requests.;The ASN.1 'Double-Free'
vulnerability exists in Microsoft's Abstract
Syntax Notation One (ASN.1) Library and allows
remote code execution at the system privilege
level. MS04-011
CriticalThe RPC Runtime Library vulnerability is a
remote code execution vulnerability that results
from a race condition when the RPC Runtime Library
processes specially crafted messages. An attacker
who successfully exploits this vulnerability could
take complete control of an affected system.;The
 
C

CG59runner

Thread Starter
Joined
Apr 16, 2005
Messages
93
2nd part of Housecall report:
RPCSS Service denial of service (DoS)
vulnerability allows a malicious user or malware
to send specially-crafted messages to a vulnerable
system, which causes the RPCSS Service to stop
responding.;The RPC Over HTTP vulnerability may be
used to launch a denial of service (DoS) attack
against a system with CIS or RPC over HTTP Proxy
enabled.;When successfully exploited, the Object
Identity vulnerability allows an attacker to force
currently running applications to open network
communication ports, thereby opening a system to
remote attacks. MS04-012
CriticalThe MHTML URL Processing Vulnerability
allows remote attackers to bypass domain
restrictions and execute arbitrary code via script
in a compiled help (CHM) file that references the
InfoTech Storage (ITS) protocol handlers.This
could allow an attacker to take complete control
of an affected system. MS04-013
CriticalThis vulnerability exists in the Help and
Support Center (HCP) and is due to the way it
handles HCP URL validation. This vulnerability
could allow an attacker to remotely execute
arbitrary code with Local System privileges.
MS04-015
ModerateThis is a denial of service (DoS)
vulnerability. It affects applications that
implement the IDirectPlay4 Application Programming
Interface (API) of Microsoft DirectPlay.
Applications that use this API are typically
network-based multiplayer games.;An attacker who
successfully exploits this vulnerability could
cause the DirectX application to fail while a user
is playing a game. The affected user would then
have to restart the application. MS04-016
ModerateA denial of service (DoS) vulnerability
exists in Outlook Express that could cause the
said program to fail. The malformed email should
be removed before restarting Outlook Express in
order to regain its normal operation. MS04-018
CriticalThis vulnerability lies in an unchecked
buffer within the Task Scheduler component. When
exploited, it allows the attacker to execute
arbitrary code on the affected machine with the
same privileges as the currently logged on user.
MS04-022
CriticalAn attacker who successfully exploits this
vulnerability could gain the same privileges as
that of the currently logged on user. If the user
is logged in with administrative privileges, the
attacker could take complete control of the
system. User accounts with fewer privileges are at
less risk than users with administrative
privileges. MS04-023
CriticalThe Navigation Method Cross-Domain
Vulnerability is a remote execution vulnerability
that exists in Internet Explorer because of the
way that it handles navigation methods. An
attacker could exploit this vulnerability by
constructing a malicious Web page that could
potentially allow remote code execution if a user
visits a malicious Web site.;The Malformed BMP
File Buffer Overrun Vulnerability exists in the
processing of BMP image file formats that could
allow remote code execution on an affected
system.;The Malformed GIF File Double Free
Vulnerability is a buffer overrun vulnerability
that exists in the processing of GIF image file
formats that could allow remote code execution on
an affected system. MS04-025
CriticalThis vulnerability lies in the way the
affected components process JPEG image files. An
unchecked buffer within this process is the cause
of the vulnerability.;This remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. The malicious user
or malware can execute arbitrary code on the
system giving them the ability to install or run
programs and view or edit data with full
privileges. Thus, this vulnerability can
conceivably be used by a malware for replication
purposes. MS04-028
ImportantAn unchecked buffer exists in the NetDDE
services that could allow remote code execution.
An attacker who is able to successfully exploit
this vulnerability is capable of gaining complete
control over an affected system. However, the
NetDDe services are not automatically executed,
and so would then have to be manually started for
an attacker to exploit this vulnerability. This
vulnerability also allows attackers to perform a
local elevation of privilege, or a remote denial
of service (DoS) attack. MS04-031
CriticalThis cumulative release from Microsoft
covers four newly discovered vulnerabilities:
Windows Management Vulnerability, Virtual DOS
Machine Vulnerability, Graphics Rendering Engine
Vulnerability, and Windows Kernel Vulnerability.
MS04-032
CriticalThis is another privately reported
vulnerability about Windows Compressed Folders.
There is vulnerability on the way that Windows
processes Compressed (Zipped) Folders that could
lead to remote code execution. Windows can not
properly handle the extraction of the ZIP folder
with a very long file name. Opening a specially
crafted compressed file, a stack-based overflow
occurs, enabling the remote user to execute
arbitrary code. MS04-034
CriticalThis security bulletin focuses on the
following vulnerabilities: Shell Vulnerability
(CAN-2004-0214), and Program Group Converter
Vulnerability (CAN-2004-0572). Shell vulnerability
exists on the way Windows Shell launches
applications that could enable remote malicious
user or malware to execute arbitrary code.
Windows Shell function does not properly check the
length of the message before copying to the
allocated buffer. Program Group Converter is an
application used to convert Program Manager Group
files that were produced in Windows 3.1, Windows
3.11, Windows for Workgroups 3.1, and Windows for
Workgroups 3.11 so that they can still be used by
later operating systems. The vulnerability lies in
an unchecked buffer within the Group Converter
Utility. MS04-037
CriticalThis is a remote code execution
vulnerability that exists in the Internet
Explorer. It allows remote code execution on an
affected system. An attacker could exploit this
vulnerability by constructing a malicious Web
Page. The said routine could allow remote code
execution if a user visited a malicious Web site.
An attacker who successfully exploited this
vulnerability could take complete control of an
affected system. However, significant user
interaction is required to exploit this
vulnerability. MS04-038
CriticalThis security update addresses and
resolves a vulnerability in Internet Explorer that
could allow remote code execution. A Web page can
be crafted to exploit this vulnerability such that
an arbitrary application can be executed on
visiting systems with the same priviledge as the
currently logged on user. MS04-040
ImportantThis security advisory explains the two
discovered vulnerabilities in Microsoft Word for
Windows 6.0 Converter, which is used by WordPad in
converting Word 6.0 to WordPad file format. Once
exploited, this remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. MS04-041
CriticalA remote code execution vulnerability
exists in HyperTerminal because of a buffer
overrun. If a user is logged on with administrator
privileges, an attacker could exploit the
vulnerability by constructing a malicious
HyperTerminal session file that could potentially
allow remote code execution and then persuade a
user to open this file. This malicious file may
enable the attacker to gain complete control of
the affected system. This vulnerability could also
be exploited through a malicious Telnet URL if
HyperTerminal had been set as the default Telnet
client. MS04-043
ImportantThis security update addresses and
resolves two windows vulnerabilites, both of which
may enable the current user to take control of the
affected system. Both of these vulnerabilites
require that the curernt user be able to log on
locally and execute programs. They cannot be
exploited remotely, or by anonymous users. A
privilege elevation vulnerability exists in the
way that the Windows Kernel launches applications.
This vulnerability could allow the current user to
take complete control of the system. A privilege
elevation vulnerability exists in the way that the
LSASS validates identity tokens. This
vulnerability could allow the current user to take
complete control of the affected system. MS04-044
CriticalThis update resolves a newly-discovered,
publicly reported vulnerability. A vulnerability
exists in the HTML Help ActiveX control in Windows
that could allow information disclosure or remote
code execution on an affected system. MS05-001
CriticalThis update resolves several
newly-discovered, privately reported and public
vulnerabilities. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system,
install programs, view, change, or delete data, or
create new accounts that have full privileges.
MS05-002
ImportantThis update resolves a newly-discovered,
privately reported vulnerability. An attacker who
successfully exploited this vulnerability could
take complete control of an affected system. An
attacker could then install programs, view,
change, or delete data, or create new accounts
with full privileges. While remote code execution
is possible, an attack would most likely result in
a denial of service condition. MS05-003
ImportantThis is an information disclosure
vulnerability. An attacker who successfully
exploits this vulnerability could remotely read
the user names for users who have an open
connection to an available shared resource.
MS05-007
ImportantThis remote code execution vulnerability
exists in the way Windows handles drag-and-drop
events. An attacker could exploit the
vulnerability by constructing a malicious Web page
that could potentially allow an attacker to save a
file on the users system if a user visited a
malicious Web site or viewed a malicious e-mail
message. MS05-008
CriticalThis remote code execution vulnerability
exists in the processing of PNG image formats. An
attacker who successfully exploits this
vulnerability could take complete control of an
affected system. MS05-009
CriticalThis remote code execution vulnerability
exists in Server Message Block (SMB). It allows an
attacker who successfully exploits this
vulnerability to take complete control of the
affected system. MS05-011
CriticalThis privilege elevation vulnerability
exists in the way that the affected operating
systems and programs access memory when they
process COM structured storage files. This
vulnerability could grant a currently logged-on
user to take complete control of the system.;This
remote code execution vulnerability exists in OLE
because of the way that it handles input
validation. An attacker could exploit the
vulnerability by constructing a malicious document
that could potentially allow remote code
execution. MS05-012
CriticalThis vulnerability exists in the DHTML
Editing Component ActiveX Control. This
vulnerability could allow information disclosure
or remote code execution on an affected system.
MS05-013
CriticalThis update resolves known vulnerabilities
affecting Internet Explorer. An attacker who
successfully exploits these vulnerabilities could
take complete control of an affected system. An
attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. MS05-014
CriticalA remote code execution vulnerability
exists in the Hyperlink Object Library. This
problem exists because of an unchecked buffer
while handling hyperlinks. An attacker could
exploit the vulnerability by constructing a
malicious hyperlink which could potentially lead
to remote code execution if a user clicks a
malicious link within a Web site or e-mail
message. MS05-015
ImportantA remote code execution vulnerability
exists in the Windows Shell because of the way
that it handles application association. If a user
is logged on with administrative privileges, an
attacker who successfully exploited this
vulnerability could take complete control of the
affected system. However, user interaction is
required to exploit this vulnerability. MS05-016
ImportantThis security bulletin resolves
newly-discovered, privately-reported
vulnerabilities affecting Windows. An attacker who
successfully exploited the most severe of these
vulnerabilities could take complete control of an
affected system. An attacker could then install
programs; view, change, or delete data; or create
new accounts with full user rights. MS05-018
CriticalThis security bulletin resolves newly
discovered, privately-reported vulnerabilities
affecting Windows. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system.
An attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. However, an attacker who
successfully exploited the most severe of these
vulnerabilities would most likely cause the
affected system to stop responding. MS05-019
CriticalThis security bulletin resolves three
newly-discovered, privately-reported
vulnerabilities affecting Internet Explorer. If a
user is logged on with administrative user rights,
an attacker who successfully exploited any of
these vulnerabilities could take complete control
of an affected system. An attacker could then
install programs; view, change, or delete data; or
create new accounts with full user rights.
MS05-020
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Total: 361 (members: 13, guests: 348)
Top