Jump to content


Photo

virus stopping antiviruses from working?


  • Please log in to reply
23 replies to this topic

#1 Posman

Posman

    Member

  • Members
  • PipPip
  • 16 posts

Posted 12 August 2006 - 05:56 PM

I reformatted my computer and have been having trouble with the internet and computer freezing which it didn't do before. I tried installing Mcafee but once i reset and it says i do not have rights to open the file or any .exe file for that matter. i am forced to go to safe mode and the anti virus works fine but i find that alot of key files are affexted by newwin32 and other viruses. Any help please

Logfile of HijackThis v1.99.1
Scan saved at 17:40:21, on 12/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\NT\nrcs.exe
C:\WINDOWS\update\updmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\WINDOWS\System32\winIogon.exe
C:\WINDOWS\System32\spoolsvc.exe
C:\WINDOWS\System32\csrs.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\hh.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Documents and Settings\sika\My Documents\VisualBoyAdvance v1.7.2\VisualBoyAdvance.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\NT\nrcs.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [win32 update service] svchostt.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MCAFInstaller_mpfins.ui] C:\WINDOWS\TEMP\mcu267.tmp\MCAPPINS.exe /v=3 /start=mpfins.ui::default.htm
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Microsoft ® Windows Vista/NT Runtime Compatibility Service] C:\WINDOWS\NT\nrcs.exe
O4 - HKLM\..\Run: [DHCP Hotfix] C:\hh.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\RunServices: [win32 update service] svchostt.exe
O4 - HKCU\..\Run: [win32 update service] svchostt.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1154296498390
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57164FE7-9B8E-4B59-8D5A-BD18B4FDC494}: NameServer = 83.146.21.5 212.158.248.6
O23 - Service: win32 update service (defiled) - Unknown owner - C:\WINDOWS\System32\svchostt.exe" -netsvcs (file missing)
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:\WINDOWS\NT\nrcs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe

#2 jurgenv

jurgenv

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 2462 posts

Posted 12 August 2006 - 11:35 PM

* Please remove these entries from Add/Remove Programs in the Control Panel(if present):
To do this, click 'Start' then 'Control Panel', then double-click on Add/Remove Programs.
Ares <== comes with malware to work properly: http://www.spywarein...2p/old_list.php
AdwareAlert

* Please open hijackthis and put a check next to the following:

O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [win32 update service] svchostt.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Vista/NT Runtime Compatibility Service] C:\WINDOWS\NT\nrcs.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\RunServices: [win32 update service] svchostt.exe
O4 - HKCU\..\Run: [win32 update service] svchostt.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:\WINDOWS\NT\nrcs.exe


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\scvhost.exe
    C:\WINDOWS\System32\winIogon.exe
    C:\WINDOWS\System32\svchostt.exe
    C:\WINDOWS\update\updmgr.exe
    C:\WINDOWS\System32\csrs.exe
    C:\WINDOWS\NT\nrcs.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


* Please delete these folders using Windows Explorer(if present):* Click Start>>All Programs>>Accessories>>Windows Explorer
* Navigate to the listed folders, then right-click to select them and click delete
C:\Program Files\Ares
C:\Program Files\AdwareAlert

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Edited by LS CalamityJane, 12 December 2008 - 12:01 AM.
Fixed outdated URL

Greets Jurgenv.

#3 Posman

Posman

    Member

  • Members
  • PipPip
  • 16 posts

Posted 13 August 2006 - 01:52 AM

I'm wasn't sure if anyone was going to reply so now i wiped my pc agian and downloaded ad adware. At first it took all virus away but once i connected to the net it added more with each scan. I cant update my windows due to the viruses and i get update.exe errors. I'm going to follow what you said.

EDIT: I just finished doimg all that and all toolbars and errors are gone but i still get pop-ups. Any recommanded antivirus and firewall i should get or can i stick with mcafee? Heres logs.

DrWeb:
netmon.exe;C:\Program Files\Network Monitor;Trojan.DnsChange;Will be cured after reboot.;
Isass.exe;C:\WINDOWS\System32;Win32.Parite.2;Will be cured after reboot.;
scvhost.exe;C:\WINDOWS\System32;Win32.IRC.Bot.based;Deleted.;
Update.exe;C:\Program Files\Common Files\{3C600F9F-070B-2057-1001-02051002002c};Trojan.Starter.65;Deleted.;
Update.exe;C:\Program Files\Common Files\{3C600F9F-070A-2057-1001-02051002002c};Trojan.Starter.65;Deleted.;
CTFMON.EXE;C:\WINDOWS\System32;Trojan.MulDrop.2267;Deleted.;
gebcc.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
MSmedia.exe;C:\WINDOWS;BackDoor.IRC.Sdbot.496;Will be cured after reboot.;
netmon.exe;c:\program files\network monitor;Trojan.DnsChange;Will be cured after reboot.;
rdriv.sys;C:\WINDOWS\system32;Trojan.NtRootKit.61;Will be cured after reboot.;
drsmartload1.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;
dfndrff_9.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;
kybrdff_9.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;
ac3_0010.exe;C:\;Trojan.DownLoader.10918;Deleted.;
nwnmff_9.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;
drsmartload45a8b9abc.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;
drsmartload.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;
drsmartload46a8b9abc.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;
drsmartload849a8b9abc.exe;C:\;Adware.DollarRevenue;Incurable.Moved.;
MTE3NDI6ODoxNg.exe;C:\;Trojan.DownLoader.5013;Deleted.;
Installer3.exe;C:\;Adware.Look2me;Incurable.Moved.;
MSmedia.exe;C:\WINDOWS;BackDoor.IRC.Sdbot.496;Will be cured after reboot.;
bleh.exe;C:\WINDOWS\system32;Win32.IRC.Bot.based;Deleted.;
Isass.exe;C:\WINDOWS\system32;Win32.Parite.2;Deleted.;
uolrys.exe;C:\WINDOWS\system32;BackDoor.IRC.Rxbot;Deleted.;
ikfzvqae.exe;C:\WINDOWS\system32;BackDoor.IRC.Rxbot;Deleted.;
dotdr.exe;C:\WINDOWS\system32;Adware.DollarRevenue;Incurable.Moved.;
gebcc.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
w004b64c.dll;C:\WINDOWS\system32;Trojan.DownLoader.10919;Deleted.;
ddayv.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
Windows-spyware.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.719;Deleted.;
mawmdm.dll;C:\WINDOWS\system32;Adware.Look2me;Incurable.Moved.;
awvtt.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
rdriv.sys;C:\WINDOWS\system32;Trojan.NtRootKit.61;Will be cured after reboot.;
al3[1].txt;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WL2ROHMN;Trojan.DownLoader.10919;Deleted.;
drsmartload45a[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WL2ROHMN;Adware.DollarRevenue;Incurable.Moved.;
drsmartload46a[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WL2ROHMN;Adware.DollarRevenue;Incurable.Moved.;
dfndrff_9[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PQ7KPMF;Adware.DollarRevenue;Incurable.Moved.;
ac3_0010[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PQ7KPMF;Trojan.DownLoader.10918;Deleted.;
nwnmff_9[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PQ7KPMF;Adware.DollarRevenue;Incurable.Moved.;
drsmartload849a[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PQ7KPMF;Adware.DollarRevenue;Incurable.Moved.;
loader[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KHQNODEV;Adware.DollarRevenue;Incurable.Moved.;
drsmartload[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4HI3WXAR;Adware.DollarRevenue;Incurable.Moved.;
kybrdff_9[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4HI3WXAR;Adware.DollarRevenue;Incurable.Moved.;
oba3.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
tmp00046955;C:\WINDOWS\Temp;Trojan.Virtumod;Deleted.;
asappsrv.dll;C:\WINDOWS\U2lrYQ;Trojan.Proxy.493;Deleted.;
command.exe;C:\WINDOWS\U2lrYQ;Trojan.Proxy.493;Deleted.;
bleh.exe;C:\Documents and Settings\Sika;Win32.IRC.Bot.based;Deleted.;
dotdr.exe;C:\Documents and Settings\Sika;Adware.DollarRevenue;Incurable.Moved.;
tmp0004d1d3;C:\Documents and Settings\Sika\Local Settings\Temp;Trojan.Virtumod;Deleted.;
cmdinst.exe;C:\Documents and Settings\Sika\Local Settings\Temp;Trojan.Proxy.493;Incurable.Moved.;
tmp0006afbb;C:\Documents and Settings\Sika\Local Settings\Temp;Trojan.Virtumod;Deleted.;
podosikik.html\Javascript.0;C:\Program Files\Windows NT\podosikik.html;Trojan.Click.1237;;
podosikik.html;C:\Program Files\Windows NT;Archive contains infected objects;Moved.;
mebeq.html\Javascript.0;C:\Program Files\CyberLink\mebeq.html;Trojan.Click.1237;;
mebeq.html;C:\Program Files\CyberLink;Archive contains infected objects;Moved.;
MyToolBar.dll;C:\Program Files\ToolBar888;Adware.FastSearch;Incurable.Will be moved after reboot.;
netmon.exe;C:\Program Files\Network Monitor;Trojan.DnsChange;Will be cured after reboot.;
A0001248.sys;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.NtRootKit.61;Deleted.;
A0002248.sys;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.NtRootKit.61;Deleted.;
A0002249.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Win32.IRC.Bot.based;Deleted.;
A0002256.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.DownLoader.9440;Deleted.;
A0002264.SYS;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.NtRootKit.61;Deleted.;
A0002266.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Win32.IRC.Bot.based;Deleted.;
A0002269.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.Starter.65;Deleted.;
A0002271.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Adware.DollarRevenue;Incurable.Moved.;
A0003263.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Win32.IRC.Bot.based;Deleted.;
A0003264.SYS;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.NtRootKit.61;Deleted.;
A0003271.EXE;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Win32.IRC.Bot.based;Deleted.;
A0003272.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;BackDoor.IRC.Sdbot.723;Deleted.;
A0003273.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;BackDoor.IRC.Rxbot;Deleted.;
A0003274.dll;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Adware.Look2me;Incurable.Moved.;
A0003279.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Win32.IRC.Bot.based;Deleted.;
A0003280.SYS;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.NtRootKit.61;Deleted.;
A0003281.dll;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Adware.Look2me;Incurable.Moved.;
A0003282.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.Starter.65;Deleted.;
A0003283.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.Starter.65;Deleted.;
A0003284.EXE;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.MulDrop.2267;Deleted.;
A0003286.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.DownLoader.10918;Deleted.;
A0003287.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.DownLoader.5013;Deleted.;
A0003288.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Win32.IRC.Bot.based;Deleted.;
A0003289.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Win32.Parite.2;Deleted.;
A0003290.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;BackDoor.IRC.Rxbot;Deleted.;
A0003291.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;BackDoor.IRC.Rxbot;Deleted.;
A0003292.dll;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.DownLoader.10919;Deleted.;
A0003293.dll;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.Virtumod;Deleted.;
A0003294.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;BackDoor.IRC.Sdbot.719;Deleted.;
A0003295.dll;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.Virtumod;Deleted.;
A0003296.dll;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.Proxy.493;Deleted.;
A0003297.exe;C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1;Trojan.Proxy.493;Deleted.;
csrs.exe;C:\!KillBox;BackDoor.IRC.Rxbot;Deleted.;
winIogon.exe;C:\!KillBox;BackDoor.IRC.Sdbot.723;Deleted.;

HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 02:33:40, on 13/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\MSmedia.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sika\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timecomputers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\gebcc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1155428199093
O17 - HKLM\System\CCS\Services\Tcpip\..\{92C24AF5-5AA7-4BF9-BCA1-B34B15BE2937}: NameServer = 83.146.21.5 212.158.248.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{21430AFA-DA6E-4060-A501-74626BC04C80}: NameServer = 83.146.21.5 212.158.248.6
O20 - Winlogon Notify: gebcc - C:\WINDOWS\SYSTEM32\gebcc.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\p0n80a5ued.dll
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe

Can i update my windows now?

#4 jurgenv

jurgenv

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 2462 posts

Posted 13 August 2006 - 12:27 PM

* I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world. AVG makes an excellent free antivirus client, as do AntiVir or avast!.

* Please download Look2Me-Destroyer.exe to your desktop.

* Close all windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX


* Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
* Please post the contents of C:\Look2Me-Destroyer.txt and C:\vundofix.txt and a new HiJackThis log!
Greets Jurgenv.

#5 Posman

Posman

    Member

  • Members
  • PipPip
  • 16 posts

Posted 13 August 2006 - 10:11 PM

Vundofix did not find anything so didnt make a txt file but avg picking up a couple of viruses but it stoped now.

Look to me log:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 13/08/2006 21:58:24

Infected! C:\WINDOWS\system32\kt00l7dm1.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\kt00l7dm1.dll
C:\WINDOWS\system32\kt00l7dm1.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1F74F79A-587F-48E3-B316-5374CC4CC7F9}"
HKCR\Clsid\{1F74F79A-587F-48E3-B316-5374CC4CC7F9}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BF9A54A8-A393-4354-AE6E-F1E759233D44}"
HKCR\Clsid\{BF9A54A8-A393-4354-AE6E-F1E759233D44}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C41C9713-C845-4EBB-827A-B2AA258C0B7F}"
HKCR\Clsid\{C41C9713-C845-4EBB-827A-B2AA258C0B7F}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 22:06:46, on 13/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sika\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timecomputers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\gebcc.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1155428199093
O17 - HKLM\System\CCS\Services\Tcpip\..\{92C24AF5-5AA7-4BF9-BCA1-B34B15BE2937}: NameServer = 83.146.21.5 212.158.248.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{21430AFA-DA6E-4060-A501-74626BC04C80}: NameServer = 83.146.21.5 212.158.248.6
O20 - Winlogon Notify: gebcc - gebcc.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe

Can you recommend a good firwall?

#6 jurgenv

jurgenv

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 2462 posts

Posted 13 August 2006 - 10:23 PM

* First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

* If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.


* Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* Please open hijackthis and put a check next to the following:

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\gebcc.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* Next, run Ad-aware and perform a full scan. Remove everything found.
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
* Restart your computer in normal mode.

* Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

* after that, post a new hijackthis log here with the report from ewido
Greets Jurgenv.

#7 Posman

Posman

    Member

  • Members
  • PipPip
  • 16 posts

Posted 14 August 2006 - 12:11 AM

Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 00:05:49, on 14/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sika\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timecomputers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1155428199093
O17 - HKLM\System\CCS\Services\Tcpip\..\{92C24AF5-5AA7-4BF9-BCA1-B34B15BE2937}: NameServer = 83.146.21.5 212.158.248.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{21430AFA-DA6E-4060-A501-74626BC04C80}: NameServer = 83.146.21.5 212.158.248.6
O20 - Winlogon Notify: gebcc - gebcc.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe

ewido report:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:55:50 13/08/2006

+ Scan result:



C:\Documents and Settings\Sika\DoctorWeb\Quarantine\A0003274.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\A0003281.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\mawmdm.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003309.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003311.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003317.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003322.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003326.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003332.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003335.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003346.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003347.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\MyToolBar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003316.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888 -> Adware.ToolBar888 : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888\Activate.exe -> Adware.ToolBar888 : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888\Uninst.exe -> Adware.ToolBar888 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003344.dll -> Backdoor.Agent.ff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003348.exe -> Backdoor.Agobot.afk : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\dotdr.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\dotdr__0.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\woa32.exe/dotdr.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003266.exe/dotdr.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003310.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003312.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\woa32.exe/dotdr.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\drsmartload45a8b9abc.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\drsmartload45a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\drsmartload46a8b9abc.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\drsmartload46a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\drsmartload849a8b9abc.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\drsmartload849a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003305.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003307.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003308.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\nwnmff_9.exe -> Downloader.Adload.eb : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\nwnmff_9[1].exe -> Downloader.Adload.eb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003304.exe -> Downloader.Adload.eb : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\kybrdff_9.exe -> Downloader.Adload.ec : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\kybrdff_9[1].exe -> Downloader.Adload.ec : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003303.exe -> Downloader.Adload.ec : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\woa32.exe/dotrm.dll -> Downloader.ConHook.ad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003266.exe/dotrm.dll -> Downloader.ConHook.ad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003336.DLL -> Downloader.ConHook.ad : Cleaned with backup (quarantined).
C:\WINDOWS\system32\woa32.exe/dotrm.dll -> Downloader.ConHook.ad : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\A0002271.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\drsmartload.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\drsmartload1.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\drsmartload[1].exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\loader[1].exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003301.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003306.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003300.exe -> Dropper.Agent.ye : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003298.exe -> Dropper.Paradrop.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003299.exe -> Dropper.Paradrop.a : Cleaned with backup (quarantined).
C:\Program Files\Thomson SpeedTouch\ST330\WebInstaller\STHIW\stInstall.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0000113.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0000123.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0000142.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0000230.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0000248.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\mebeq.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\podosikik.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\dfndrff_9.exe -> Hijacker.VB.or : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\DoctorWeb\Quarantine\dfndrff_9[1].exe -> Hijacker.VB.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003302.exe -> Hijacker.VB.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003315.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003314.sys -> Rootkit.Agent.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003331.SYS -> Rootkit.Agent.o : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rdriv.sys -> Rootkit.Agent.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\Cookies\sika@adtech[1].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\Cookies\sika@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\Cookies\sika@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\Cookies\sika@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\Cookies\sika@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\Cookies\sika@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\Cookies\sika@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\Cookies\sika@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\Sika\Cookies\sika@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end

#8 jurgenv

jurgenv

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 2462 posts

Posted 14 August 2006 - 11:10 AM

* Launch Ewido and in the main window click "Realtime protection" (in green indicating "Active") to change to inactive.

* Please open hijackthis and put a check next to the following:

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O20 - Winlogon Notify: gebcc - gebcc.dll (file missing)


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* After that, post a new hijackthis log here and tell me how everything is working.
Greets Jurgenv.

#9 Posman

Posman

    Member

  • Members
  • PipPip
  • 16 posts

Posted 14 August 2006 - 11:51 AM

Thank you very much. I don't seem to have anymore virus errors or problems downloading microsoft updates. The small minor problem is that my internet explorer doesn't display pages and i need to refreash it 5 times to get it to show the page.

HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:45:42, on 14/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sika\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1155428199093
O17 - HKLM\System\CCS\Services\Tcpip\..\{92C24AF5-5AA7-4BF9-BCA1-B34B15BE2937}: NameServer = 83.146.21.5 212.158.248.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{21430AFA-DA6E-4060-A501-74626BC04C80}: NameServer = 83.146.21.5 212.158.248.6
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe

Thanks agian

and btw i have like two antiviruses do i need to get rid of one. i have avg and ewido.

#10 jurgenv

jurgenv

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 2462 posts

Posted 14 August 2006 - 12:11 PM

Ewido is NOT an antivirus. :D

Go to http://windowsupdate.microsoft.com/ and install service pack 2 and the update after SP2

Finally, post a new hijackthis log here and tell me how everything is working. :)
Greets Jurgenv.

#11 Posman

Posman

    Member

  • Members
  • PipPip
  • 16 posts

Posted 14 August 2006 - 03:36 PM

I just tried to upgrade microsoft and there were 52 critical updates which i downloaded but after i installed them my computer kept constontly restarting then i was taking to a menu where i could choose from safe mode, last know good configuration and run windows normally. I tried run windows normally took me back to same screen tried last know good configuration took me back to same screen so i had to uninstall all 52 updates before i got my pc to work agian.... Any idea why this happened?

#12 jurgenv

jurgenv

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 2462 posts

Posted 14 August 2006 - 03:43 PM

Hmm, can you redo the step with dr.web and post me the report here?
Greets Jurgenv.

#13 Posman

Posman

    Member

  • Members
  • PipPip
  • 16 posts

Posted 15 August 2006 - 05:46 PM

s'ok it downloaded sp2 and fixe problems

#14 jurgenv

jurgenv

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 2462 posts

Posted 15 August 2006 - 05:47 PM

Ok, can I see a new hijackthis log? :)
Greets Jurgenv.

#15 Posman

Posman

    Member

  • Members
  • PipPip
  • 16 posts

Posted 16 August 2006 - 06:56 PM

I'm now having problems from computer randomly restarting and a message saying it has recovered from a fatel error or something.

Logfile of HijackThis v1.99.1
Scan saved at 18:50:29, on 16/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sika\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92C24AF5-5AA7-4BF9-BCA1-B34B15BE2937}: NameServer = 83.146.21.5 212.158.248.6
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe

#16 jurgenv

jurgenv

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 2462 posts

Posted 16 August 2006 - 06:59 PM

WHat happened to AVG? Re-install it!

Also, scan again what an up-to-date ewido in safe mode, and post the report of it here with a new hijackthis log
Greets Jurgenv.

#17 Posman

Posman

    Member

  • Members
  • PipPip
  • 16 posts

Posted 16 August 2006 - 08:34 PM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:27:54 16/08/2006

+ Scan result:



C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003361.exe/dotdr.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003362.exe/dotdr.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003363.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003364.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003377.exe -> Downloader.Adload.ds : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003378.exe -> Downloader.Adload.ds : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003379.exe -> Downloader.Adload.ds : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003380.exe -> Downloader.Adload.ds : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003381.exe -> Downloader.Adload.ds : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003382.exe -> Downloader.Adload.ds : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003375.exe -> Downloader.Adload.eb : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003376.exe -> Downloader.Adload.eb : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003373.exe -> Downloader.Adload.ec : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003374.exe -> Downloader.Adload.ec : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003361.exe/dotrm.dll -> Downloader.ConHook.ad : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003362.exe/dotrm.dll -> Downloader.ConHook.ad : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003366.exe -> Downloader.VB.agk : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003367.exe -> Downloader.VB.agk : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003368.exe -> Downloader.VB.agk : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003369.exe -> Downloader.VB.agk : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003370.exe -> Downloader.VB.agk : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003388.exe -> Heuristic.Win32.Dialer : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003371.exe -> Hijacker.VB.or : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003372.exe -> Hijacker.VB.or : No action taken.
C:\System Volume Information\_restore{7EF2FCF7-1ABA-470E-A97D-021F2A361541}\RP1\A0003365.sys -> Rootkit.Agent.o : No action taken.
:mozilla.113:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.2o7 : No action taken.
:mozilla.114:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.2o7 : No action taken.
:mozilla.115:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.169:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Adrevolver : No action taken.
:mozilla.170:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Adrevolver : No action taken.
:mozilla.171:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Adrevolver : No action taken.
:mozilla.172:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Adrevolver : No action taken.
:mozilla.173:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Adrevolver : No action taken.
:mozilla.56:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Adtech : No action taken.
:mozilla.57:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
:mozilla.300:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Advertising : No action taken.
:mozilla.301:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Advertising : No action taken.
:mozilla.302:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
:mozilla.61:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.223:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
:mozilla.67:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Burstbeacon : No action taken.
:mozilla.66:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Burstnet : No action taken.
:mozilla.52:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Casalemedia : No action taken.
:mozilla.53:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Casalemedia : No action taken.
:mozilla.54:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Casalemedia : No action taken.
:mozilla.89:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Com : No action taken.
:mozilla.55:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.83:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Euroclick : No action taken.
:mozilla.84:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Euroclick : No action taken.
:mozilla.85:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Euroclick : No action taken.
:mozilla.86:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Euroclick : No action taken.
:mozilla.87:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.81:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Falkag : No action taken.
:mozilla.101:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Fastclick : No action taken.
:mozilla.106:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Fastclick : No action taken.
:mozilla.108:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Fastclick : No action taken.
:mozilla.109:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Fastclick : No action taken.
:mozilla.110:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.239:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Hitbox : No action taken.
:mozilla.241:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Hitbox : No action taken.
:mozilla.242:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Hitbox : No action taken.
:mozilla.243:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Hitbox : No action taken.
:mozilla.294:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@ehg-nokiafin.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@counter.hitslink[2].txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.264:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Hotlog : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.79:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Mediaplex : No action taken.
:mozilla.80:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.184:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Pointroll : No action taken.
:mozilla.185:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Pointroll : No action taken.
:mozilla.186:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Pointroll : No action taken.
:mozilla.187:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Pointroll : No action taken.
:mozilla.118:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Questionmarket : No action taken.
:mozilla.119:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.290:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Serving-sys : No action taken.
:mozilla.291:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Serving-sys : No action taken.
:mozilla.292:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Serving-sys : No action taken.
:mozilla.293:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.304:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Sitestat : No action taken.
:mozilla.263:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Spylog : No action taken.
:mozilla.129:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Statcounter : No action taken.
:mozilla.274:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Tacoda : No action taken.
:mozilla.275:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Tacoda : No action taken.
:mozilla.276:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Tacoda : No action taken.
:mozilla.47:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.227:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.100:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Valuead : No action taken.
:mozilla.102:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Valuead : No action taken.
:mozilla.103:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Valuead : No action taken.
:mozilla.104:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Valuead : No action taken.
:mozilla.105:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Valuead : No action taken.
:mozilla.107:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Valuead : No action taken.
:mozilla.111:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Valuead : No action taken.
:mozilla.68:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Valueclick : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@valueclick[1].txt -> TrackingCookie.Valueclick : No action taken.
:mozilla.35:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.36:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.37:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.38:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.39:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.40:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.41:C:\FOUND.000\FILE0012.CHK -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Sika\Cookies\sika@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 20:31:20, on 16/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sika\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92C24AF5-5AA7-4BF9-BCA1-B34B15BE2937}: NameServer = 83.146.21.5 212.158.248.6
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe

Installing avg now

#18 jurgenv

jurgenv

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 2462 posts

Posted 16 August 2006 - 09:12 PM

Are you sure you quarantined everything with ewido? Because the logs says 'no action taken'
Greets Jurgenv.

#19 Posman

Posman

    Member

  • Members
  • PipPip
  • 16 posts

Posted 16 August 2006 - 10:47 PM

yeah i clicked quarintine and then saved log

#20 jurgenv

jurgenv

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 2462 posts

Posted 16 August 2006 - 10:48 PM

Ok, can I see a new hijackthis log?
Greets Jurgenv.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users