30 replies to this topic

[tuckerhank]

Here is my logfile. Thanks a lot for the help. Also, I have one quick side question. I keep all of my money stuff in a spreadsheet. Well, excel freezes every time I open that particular file. It's actually every file, that's really just the only one I use. So I removed office and reinstalled it. Now it's telling me that I cannot install the app b/c I am not an administrator. I am the only one on this damn PC and I know I have the admin rights with my name. Is there any way you guys could help me get excel (and word for that matter) back running again. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 10:34:57 PM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskdir.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskdir~.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 213.159.117.133
O16 - DPF: {10EC6CEC-5A1D-4E4E-AB85-8CC516F2A687} (AICPAViewer.clsViewer) - http://www.cpa-exam.org/AICPATutorial/inst...AICPAViewer.cab
O16 - DPF: {3EEFCD4B-E9FD-4601-BE5D-C5C1776E51D3} (AICPASSV.Spreadsheet) - http://www.cpa-exam....tall/SSItem.cab
O16 - DPF: {4DCCD2FC-132F-45EC-BFDA-72235B85047C} (AICPAAuthLit.AuthLitItem) - http://www.cpa-exam....ll/SimItems.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149204239515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {909A35CA-61DC-4437-887E-30ED6D89F6C8} (AICPAUI.ucHyperlink) - http://www.cpa-exam....all/General.cab
O16 - DPF: {96F2228B-0D43-48AC-B857-29972C87EBA4} (AICPACR.ConstructedResponse) - http://www.cpa-exam....tall/CRItem.cab
O16 - DPF: {D4C9E474-9A6C-4FBF-B13A-4BE2BDD34FD5} (AICPA treeView control) - http://www.cpa-exam.org/AICPATutorial/inst...CPAViewerIL.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vturq - vturq.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

[AndyManchesta]

Hi tuckerhank, Welcome to the forum

I'm not sure exactly whats going wrong with excel but I can tell you that your system is compromised, there is signs of rootkit infections in your log and different Trojan infections so this may take afew steps to help you get the machine clean, You will need administrative rights to run some of these tools so we will have to deal with problems as they occur, I would counsel you to disconnect this PC from the Internet as much as possible while we are cleaning up your machine. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this link for more information

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

You may want to print out these instructions for reference or copy and paste the contents into notepad and save them to your desktop, since you will have to restart your computer afew times during the fixes and some of the steps require you to be in safe mode.

Please download FixWareout from one of these sites:

FixWareout Link 1
FixWareout Link 2

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads it will open the cleaning results in a text file (report.txt), please post the report.txt back on here in your next reply.


Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
  
• Put a check next to Run VundoFix as a task.
  
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  
• When VundoFix re-opens, click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will shutdown your computer, click OK.
  
• Turn your computer back on.
  
• Please post the contents of C:\vundofix.txt into your next reply.

Next download the Trojan Abwiz removal tool from Here, save it to your desktop but do not run it yet as we will be using it abit later in safemode.

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  
• Instead of Windows loading as normal, a menu should appear
  
• Select the first option, to run Windows in Safe Mode.

Once in safe mode double click the Symantec Abwiz removal tool (FixAbwiz.exe) and follow the prompts.

When the tool has finished running, you will see a message indicating whether the threat has infected the computer. Please save that and post it back onto the forum.

Run Hijack This and choose Do A System Scan then place a check next to these entries

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O20 - Winlogon Notify: vturq - vturq.dll (file missing)

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Suspicious

O15 - Trusted IP range: 213.159.117.133

This IP Range resolves to Saint-Petersburg in Russia so it could be on your system for malicious reasons, if you do not know why this is a Trusted IP range on your PC it should be fixed using Hijack This

Next delete these files:

C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\taskdir~.exe
C:\WINDOWS\system32\taskdir.dll
C:\WINDOWS\system32\susp.exe

Reboot back to Normal Mode

Please post the VundoFix.txt, Wareouts results (report.txt), Symantecs Fix Tool results if it generates one and a new Hijack This log, there will be more work to do but please let us know if you have any problems when proceeding with the above steps

Regards

Andy

[tuckerhank]

Hi Andy. Thanks a lot for the quick response. I have a quick question and I want to clarify one thing. I only check my account balances online, I don't pay any bills or anything online. Also, I won't be able to change my password on one of my accounts because they do a three step security check.

My question is: Do you see something that would imply someone is trying to committ identity theft ? and comparatively speaking, does my system look really bad.

I'll spend some time today going through your steps. Thanks again

Jon

[tuckerhank]

Here is my fixwareout and new hijackthis logs

fixwareout:

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 1:27:23 PM, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskdir.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoomail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 213.159.117.133
O16 - DPF: {10EC6CEC-5A1D-4E4E-AB85-8CC516F2A687} (AICPAViewer.clsViewer) - http://www.cpa-exam.org/AICPATutorial/inst...AICPAViewer.cab
O16 - DPF: {3EEFCD4B-E9FD-4601-BE5D-C5C1776E51D3} (AICPASSV.Spreadsheet) - http://www.cpa-exam....tall/SSItem.cab
O16 - DPF: {4DCCD2FC-132F-45EC-BFDA-72235B85047C} (AICPAAuthLit.AuthLitItem) - http://www.cpa-exam....ll/SimItems.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149204239515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {909A35CA-61DC-4437-887E-30ED6D89F6C8} (AICPAUI.ucHyperlink) - http://www.cpa-exam....all/General.cab
O16 - DPF: {96F2228B-0D43-48AC-B857-29972C87EBA4} (AICPACR.ConstructedResponse) - http://www.cpa-exam....tall/CRItem.cab
O16 - DPF: {D4C9E474-9A6C-4FBF-B13A-4BE2BDD34FD5} (AICPA treeView control) - http://www.cpa-exam.org/AICPATutorial/inst...CPAViewerIL.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vturq - vturq.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe


Thanks,
Jon


Hey Andy,

Sorry I keep replying, but I'm doing these in steps, obviously, and am not seeing to post the results until after the fact. Anyway, the Vundofix reported nothing infected on my pc, "so it will now close" and didn't give me a status report.

Jon

[AndyManchesta]

Hi Jon

My first impression of your log is there's abit more going on that what Hijack This is seeing but I cannot see any info stealing trojans, there is a rookit file running (taskdir) and unless you added the trusted IP range that looks suspicious, the Taskdir.exe file has rootkit features so there would likely by a taskdir.dll file on the system as well which is hidden from view. (1, 2 ).

Having the O1 localhost 127.0.0.1 entry appear in the log can sometimes indicate the Wareout Trojan is on the system which changes DNS settings to send IE requests through an IP Address in Russia but the Wareout report looks clean which is good to see,

The Notify Key vturq - vturq.dll (file missing) looks like a Trojan Vundo leftover so again its good to see its not on the system now

[Transponder] C:\WINDOWS\system32\susp.exe

This was originally a file from Direct Revenue (abetterinternet) but has more recently been used by a variant of the Smitfraud trojans which drops the file and then displays an alert about the system being infected with susp.exe and they need to use SpywareSheriff, we can use SmitFraudFix to check this.

O15 - Trusted IP range: 213.159.117.133

Was the above Trusted IP range added by you or is it related to your ISP and did you make the fixes in Hijack This and remove the files before posting the new log ?


Can you run these two programs and post back the logs :


Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Thanks

[tuckerhank]

Hi again

Here is the fixabwiz report:

Symantec Trojan.Abwiz.F Removal Tool 1.0.0

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP37\A0007717.dll: (deleted)
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP38\A0007804.dll: (deleted)
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP39\A0007811.dll: (deleted)
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP40\A0007816.dll: (deleted)
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP41\A0007821.dll: (deleted)
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP42\A0007828.dll: (deleted)
C:\WINDOWS\system32\zlbw.dll: (deleted)
C:\WINDOWS\system32\taskdir~.exe: (deleted)

registry: HKEY_USERS\S-1-5-21-2061493972-25813730-1581800659-1007\Software\Microsoft\Windows\CurrentVersion\Run: taskdir (value deleted)

Trojan.Abwiz.F has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 56403
The number of deleted threat files: 8
The number of threat processes terminated: 0
The number of registry entries fixed: 1


Here is a even newer hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:25:10 PM, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoomail.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 213.159.117.133
O16 - DPF: {10EC6CEC-5A1D-4E4E-AB85-8CC516F2A687} (AICPAViewer.clsViewer) - http://www.cpa-exam.org/AICPATutorial/inst...AICPAViewer.cab
O16 - DPF: {3EEFCD4B-E9FD-4601-BE5D-C5C1776E51D3} (AICPASSV.Spreadsheet) - http://www.cpa-exam....tall/SSItem.cab
O16 - DPF: {4DCCD2FC-132F-45EC-BFDA-72235B85047C} (AICPAAuthLit.AuthLitItem) - http://www.cpa-exam....ll/SimItems.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149204239515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {909A35CA-61DC-4437-887E-30ED6D89F6C8} (AICPAUI.ucHyperlink) - http://www.cpa-exam....all/General.cab
O16 - DPF: {96F2228B-0D43-48AC-B857-29972C87EBA4} (AICPACR.ConstructedResponse) - http://www.cpa-exam....tall/CRItem.cab
O16 - DPF: {D4C9E474-9A6C-4FBF-B13A-4BE2BDD34FD5} (AICPA treeView control) - http://www.cpa-exam.org/AICPATutorial/inst...CPAViewerIL.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

and I just have a couple comments, so you are fully informed:

O1 - Hosts: localhost 127.0.0.1
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe

I did not find these during my hijackthis scan while in safe mode.

Also, I only found the taskdir.exe file (I think). I couldn't find any other taskdir files or the susp.exe file in the system 32 folder.

Thanks much for your help,
Jon

[AndyManchesta]

Hi John , You latest log looks fine assuming you recognise the Trusted IP line, can you run Blacklight and SmitfraudFix to make sure they also show clean. do you have a AntiVirus program installed ?

[tuckerhank]

Hey Andy,

Blacklight did not find anything, so there wasn't a log. Here is the smitfraud log:

SmitFraudFix v2.53

Scan done at 14:47:02.54, Sun 06/04/2006
Run from C:\Documents and Settings\Jon\Desktop\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\secure32.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\alexaie.dll FOUND !
C:\WINDOWS\BTGrab.dll FOUND !
C:\WINDOWS\dlmax.dll FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\timessquare1.dat FOUND !
C:\WINDOWS\warnhp.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\shellgui32.dll FOUND !
C:\WINDOWS\system32\tcpservice2.exe FOUND !
C:\WINDOWS\system32\txfdb32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jon\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jon\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://images.ofoto.com/photos774/1/85/14/29/98/9/998291485105_0_ALB.jpg"
"SubscribedURL"="http://images.ofoto.com/photos774/1/85/14/29/98/9/998291485105_0_ALB.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Also, I have no idea what teh trusted IP range thing is. Is it not off yet? I checked the box in hijackthis when you told me to the first time with the taskdir, etc.

I do not have any antivirus software. I was hoping you could give me some suggestions as to how I can keep this from happening again. I'm a little clueless, if you haven't been able to tell already.

Do you think I need to keep all of the stuff I downloaded on my computer? If not, do I just remove them in the add/remove programs?

Jon

[AndyManchesta]

Hey Jon

You can remove FixWareout, VundoFix, Abwiz removal tool & Blacklight but keep SmitFraudFix.

For AV protection, I use CA etrust Antivirus on mine and think its a great program, its mainly because its free to MS users for 1 year but its also user friendly and stops alot of junk. There is also AVG, Avast, and AntiVir that are free and provide excellent protection.

For the Trusted IP Range, it is clear that the IP is Russian and I did noticed a report on the net that shows this below, so it should be removed:

alert tcp 213.159.117.133 any $HOME_NET any (msg:"iexplore.chm/x.chm/x.h**/Linkey.ru Ltd[Hijacker]"; classtype:trojan-activity; priority:1;)
alert tcp 213.159.117.134 any $HOME_NET any (msg:"213.159.117.134/inde**.php[hijacker]"; classtype:trojan-activity; priority:1;)
alert tcp 213.159.117.147 any $HOME_NET any (msg:"GreatSearch.bizSpy]"; classtype:trojan-activity; priority:1;)
alert tcp 213.159.117.148 any $HOME_NET any (msg:"cashsearch.biz[CWS]"; classtype:trojan-activity; priority:1;)
alert tcp 213.159.117.150 any $HOME_NET any (msg:"213.159.117.150/conne**.cgi[Hijacker]"; classtype:trojan-activity; priority:1;)

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Update Ewido

• From the main Ewido screen, click on update in the left menu, then click the Start update button.
  
• After the update finishes, the status bar at the bottom will display "Update successful"
  
• Exit Ewido. DO NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, a menu with options should appear;
  
• Select the first option, to run Windows in Safe Mode, then press "Enter".
  
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

After SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)

• Click on Scanner
  
• Click on Complete System Scan and the scan will begin.
  
• If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  
• When the scan is finished, click the Save report button at the bottom of the screen.
  
• Save the report to your desktop
  
• Close Ewido

Run Hijack This and choose Do A System Scan then place a check next to these entries

O15 - Trusted IP range: 213.159.117.133

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log.

Thanks

Andy

[tuckerhank]

Sorry for the hiatus.

Here is the 2nd smitfraud report:

SmitFraudFix v2.53

Scan done at 15:36:31.03, Sun 06/04/2006
Run from C:\Documents and Settings\Jon\Desktop\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\secure32.html Deleted
C:\WINDOWS\alexaie.dll Deleted
C:\WINDOWS\BTGrab.dll Deleted
C:\WINDOWS\dlmax.dll Deleted
C:\WINDOWS\Pynix.dll Deleted
C:\WINDOWS\timessquare1.dat Deleted
C:\WINDOWS\warnhp.html Deleted
C:\WINDOWS\system32\jao.dll Deleted
C:\WINDOWS\system32\questmod.dll Deleted
C:\WINDOWS\system32\runsrv32.dll Deleted
C:\WINDOWS\system32\shellgui32.dll Deleted
C:\WINDOWS\system32\tcpservice2.exe Deleted
C:\WINDOWS\system32\txfdb32.dll Deleted
C:\WINDOWS\system32\udpmod.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

I'm having a problem getting Ewido to open up in safe mode. the program looks like its running (the program is indented in the task bar), but nothing is showing up on the screen. I don't really understand why its doing this. So I haven't done any steps after that yet. Have any idea what the problem might be?

Jon

[AndyManchesta]

Hi Jon

Install one of the AntiVirus programs and run a full scan, run Ewido in Normal Mode if you having problems with it in Safe Mode

[tuckerhank]

Hi Andy,

Sorry for the delay. I guess the five hour difference doesn't really help. Anyway, I ran the ewido in normal mode and then went into safe mode to delete the ??? ip range. I forgot to mention something: My ISP has (including today) barred me from accessing any webpage and when I call they say that I have a virus on my computer that is sending out thousands of spam e-mail daily. Maybe that is the ip address. I don't know, but I would love to correct that as soon as i can.

Here is the ewido and newest hijack this report:

ewido

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:31:20 PM, 6/5/2006
+ Report-Checksum: 17717263

+ Scan result:

C:\Documents and Settings\Jon\Cookies\jon@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP36\A0007686.exe -> Adware.Adstart : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP36\A0007687.exe -> Adware.Adstart : Cleaned with backup


::Report End

hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:46:58 PM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 213.159.117.133
O16 - DPF: {10EC6CEC-5A1D-4E4E-AB85-8CC516F2A687} (AICPAViewer.clsViewer) - http://www.cpa-exam.org/AICPATutorial/inst...AICPAViewer.cab
O16 - DPF: {3EEFCD4B-E9FD-4601-BE5D-C5C1776E51D3} (AICPASSV.Spreadsheet) - http://www.cpa-exam....tall/SSItem.cab
O16 - DPF: {4DCCD2FC-132F-45EC-BFDA-72235B85047C} (AICPAAuthLit.AuthLitItem) - http://www.cpa-exam....ll/SimItems.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149204239515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {909A35CA-61DC-4437-887E-30ED6D89F6C8} (AICPAUI.ucHyperlink) - http://www.cpa-exam....all/General.cab
O16 - DPF: {96F2228B-0D43-48AC-B857-29972C87EBA4} (AICPACR.ConstructedResponse) - http://www.cpa-exam....tall/CRItem.cab
O16 - DPF: {D4C9E474-9A6C-4FBF-B13A-4BE2BDD34FD5} (AICPA treeView control) - http://www.cpa-exam.org/AICPATutorial/inst...CPAViewerIL.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

AGGGGHHH! it still seems to be there - i promise i checked it and fixed it in safe mode. what do i do?

Thanks for your help andy,

Jon

[AndyManchesta]

Hi Jon

EDIT: these instructions need an active Internet Connection so if you cannot complete them we can check some more using the tools you have already got installed

I believe the Abwiz infection could of been sending spam emails out from your system but that should now be removed using the Symantec Tool. Ive seen these spambot trojans running and it is amazing how many emails are being passed through the machine hidden from view. You can check if its still happening by installing What Is Transferring. Save it to your desktop then extract and run the program.

Close All open Browser windows and Messenger Programs then press the Yellow Play Icon to start monitoring traffic, If you are getting hundreds of packets sent and received every minute when you have all browser windows closed its likely there is still an infection running. If you do get a large amount of packets then you can press Packet View on the top bar then change it to Text so you can view the contents of the emails and use the Black disk icon to save packets if needed. We can run Kaspersky and another Rootkit scan if any malware is still on your pc.


Regarding the Trusted Range , can you try this:

Open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad.

regedit /e HKLM.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
regedit /e HKCU.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
copy HKLM.txt + HKCU.txt = result.txt
del /q HKLM.txt
del /q HKCU.txt
echo.>>report.txt
echo ZoneMap Ranges Export: >>report.txt 
echo.>>report.txt
find /v "dword:00000004" < result.txt >>report1.txt
find /v "Windows Registry Editor Version 5.00" < report1.txt >>report.txt
del /q result.txt
del /q report1.txt
notepad report.txt
del /q report.txt

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop

Double click Check.bat and it will export the information from the Registry and open the results in Notepad,

I do not need to see all of this export but can you check through it for the Keyname that has the 213.159.117.133 IP Address in. Ive removed all the dword:00000004 values from the results as that is the Restricted Sites Zone so this 213.159.117.133 should be easy to spot as it will have a dword value of 00000002 showing:

It should look like this :

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\RangeNumber]
"*"=dword:00000002
":Range"="213.159.117.133"

If you can post back how it looks on yours we should be able to remove it or make the IP restricted using a regfix.

Finally run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Please post that text file back and let us know if you have any problems with the export file or What is Transferring.

Andy

[tuckerhank]

Hi Andy,

Here's the results:

what is transferring "sniffed" for a couple of minutes and found that there were only 50 packets. Is that o.k.? When I changed the view to text, they looked odd (not much content).

Here is the results from the check.bat:

ZoneMap Ranges Export:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]
"*"=dword:00000002


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
@=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]
"*"=dword:00000002
":Range"="213.159.117.133"

And here are the results from the Kaspersky. Does this mean that my computer is still pretty messed up?

KASPERSKY ON-LINE SCANNER REPORT
Tuesday, June 06, 2006 3:47:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 6/06/2006
Kaspersky Anti-Virus database records: 198801
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 55970
Number of viruses found: 41
Number of infected objects: 118
Number of suspicious objects: 2
Duration of the scan process: 00:38:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip/gamka32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-b63bbf8-76ebe7df.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.z skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-b63bbf8-76ebe7df.zip/VB.class Infected: Trojan.Java.ClassLoader.ak skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-b63bbf8-76ebe7df.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-b63bbf8-76ebe7df.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6a635467-2bd05140.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6a635467-2bd05140.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6a635467-2bd05140.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6a635467-2bd05140.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6a635467-2bd05140.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-aa697fe-62ac6f93.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-aa697fe-62ac6f93.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-aa697fe-62ac6f93.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-aa697fe-62ac6f93.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-aa697fe-62ac6f93.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-144c78f3-24bdfc8a.zip/Counter.class Infected: Trojan.Java.ClassLoader.ab skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-144c78f3-24bdfc8a.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-144c78f3-24bdfc8a.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenConnection.x skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-144c78f3-24bdfc8a.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c2b9e19-7c4302b6.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c2b9e19-7c4302b6.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c2b9e19-7c4302b6.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c2b9e19-7c4302b6.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e1a93af-6f5e5a95.zip/Beyond.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e1a93af-6f5e5a95.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e1a93af-6f5e5a95.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e1a93af-6f5e5a95.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba448-23d57342.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba448-23d57342.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba448-23d57342.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv102.jar-77cd9c55-2d40a60f.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv102.jar-77cd9c55-2d40a60f.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv102.jar-77cd9c55-2d40a60f.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv102.jar-77cd9c55-2d40a60f.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv416.jar-13d7143f-7a0cdefe.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv416.jar-13d7143f-7a0cdefe.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv416.jar-13d7143f-7a0cdefe.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv416.jar-13d7143f-7a0cdefe.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b188f-4d73064f.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b188f-4d73064f.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b188f-4d73064f.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b188f-4d73064f.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-241c8498-4544b21f.zip/NudeBox.class Infected: Trojan.Java.ClassLoader.u skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-241c8498-4544b21f.zip/Worker.class Infected: Trojan.Java.ClassLoader.u skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-241c8498-4544b21f.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.u skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-241c8498-4544b21f.zip/javautil.zip Infected: Trojan-Downloader.Win32.Small.cco skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-241c8498-4544b21f.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\playup_ro.jar-45c6f3d0-3af01b56.zip/Bubble.class Infected: Trojan.Java.ClassLoader.Dummy.e skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\playup_ro.jar-45c6f3d0-3af01b56.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\playup_ro.jar-45c6f3d0-3af01b56.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.c skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\playup_ro.jar-45c6f3d0-3af01b56.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.h skipped
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\playup_ro.jar-45c6f3d0-3af01b56.zip ZIP: infected - 4 skipped
C:\Program Files\Windows Media Player\wmplayer.exe.tmp Infected: Trojan-Downloader.Win32.Small.wj skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001615.exe Infected: Packed.Win32.Tibs skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP35\A0007449.exe Infected: not-a-virus:AdWare.Win32.Spydel skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP37\A0007784.exe Infected: Packed.Win32.Tibs skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7\A0000083.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7\A0000083.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7\A0000083.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000185.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000193.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000193.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000198.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000198.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000203.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000203.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000217.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000217.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000217.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ao skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000217.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000217.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000217.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000218.exe/data0004/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000218.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000218.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000218.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000218.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000264.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000274.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000274.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000274.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000283.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000283.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000283.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000283.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000283.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000290.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8\A0000356.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0007 Infected: Trojan-Clicker.Win32.VB.ex skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0008/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0008/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0009/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0009/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0009/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0009/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0009/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0009 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0010/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0010/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0010 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0011/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.p skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0011/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0011/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0011/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream/data0011 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\WINDOWS\Downloaded Program Files\package8033_VENTURAMK2.exe NSIS: infected - 24 skipped
C:\WINDOWS\SYSTEM32\jtgls.dll Infected: not-a-virus:AdWare.Win32.Adstart.i skipped
C:\WINDOWS\Temp\u3.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\WINDOWS\woinstall.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.EZula.ak skipped
C:\WINDOWS\woinstall.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\_h.html Infected: not-a-virus:AdWare.Win32.Bekser.a skipped
C:\WINDOWS\_s.html Infected: not-a-virus:AdWare.Win32.Bekser.a skipped

Scan process completed.

[AndyManchesta]

Hi Jon

For What Is Transferring (WIT) that sounds fine, if there was a spam trojan active there would be thousands sent and received within a few minutes, If they are emails being sent they are easy to read. If its just common network traffic then alot will look scrambled and its the same if you download files but if there's alot of unexplained traffic you can usually look for breaks in the results where http or similar requests are made and see what sites are being contacted and which files are installing if applicable .

For the Trusted Zone , lets add that Russian IP Range to the Restricted Zone


Open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad making REGEDIT4 the top line.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]
"*"=dword:00000004
":Range"="213.159.117.133"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]
"*"=-

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Fix.reg then save it to your desktop

Double click Fix.reg (or right click and choose Merge and it will ask if you want to merge it into the registry, choose Yes and the specified reg entry will be removed.

Run Hijack This to make sure it has been removed from the Trusted Zone.


Next can you post back the contents of your Policy keys :

Open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad.

regedit /e HKLM.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies"
regedit /e HKCU.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
copy HKLM.txt + HKCU.txt = result.txt
del /q HKLM.txt
del /q HKCU.txt
notepad result.txt
del /q result.txt

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it PolicyCheck.bat then save it to your desktop

Double click PolicyCheck.bat and it will export the information from the registry and open the results in Notepad, can you post that back into your next reply.


Next you will need to set Windows to show hidden files and folders to locate the below files:

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the Hide extentions for known file types option.
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have removed the files by opening the same page and pressing the Restore Defaults button the click Apply and OK.

Then delete these files:

C:\Program Files\Windows Media Player\wmplayer.exe.tmp <----make sure not to delete wmplayer.exe as that is the genuine Microsoft Media Player file. only delete the file if it is named wmplayer.exe.tmp

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip
C:\WINDOWS\SYSTEM32\jtgls.dll
C:\WINDOWS\woinstall.exe
C:\WINDOWS\_h.html
C:\WINDOWS\_s.html

Goto Start Menu > Control Panel > Java :

When Java opens goto the Temporary Internet Files area and press Delete Files

Place a check in all three checkboxes (Downloaded Applets, Downloaded Applications & Other Files) then click OK and OK again to close the Java screen.


Next goto Start Menu > Run > type

cmd

Press OK then when the cmd screen opens type (or copy and paste) these lines pressing Enter after each:

cd %systemroot%\Downlo~1

Press Enter

del package8033_VENTURAMK2.exe

Press Enter

exit

Press Enter


To clear all the infected System Restore points Click :

Start Menu > All Programs->Accessories->System Tools->System Restore

Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'

Next goto Start Menu > Run > type

cleanmgr

click OK, when Disk Cleanup opens goto the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created.

Please then download Ccleaner if you do not already have it from Here.

Run Ccleaner, If you wish to keep your cookies saved please uncheck the cookies cleaning option on the menu to the left then press the Run Cleaner button. When its finished removing Temp files you can exit Ccleaner.


Can you then reboot the PC and post a new Hijack This log along with the Policy Key export results.

Cheers

Andy

[tuckerhank]

Hey Andy,

Where is Java under the control panel? All I see is appearance and themes, printers and other hardware, network and internet connections, user accounts, add or remove programs, date, time, language, and regional options, sounds, speech, and audio devices, accessibility options, performance and maintenance, and security center.

Sorry,
Jon

[AndyManchesta]

Hi Jon

if you goto Start Menu > Control Panel > Add/Remove Programs does it have J2SE Runtime Environment listed ? if it does what version is it ?

If not then locate this folder

C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar

And remove any files inside.

[tuckerhank]

java 2 runtime environment, se v 1.4.2

[AndyManchesta]

Please uninstall that version as it is vulnerable to some infections, reboot the pc and download the latest version from Here.

[tuckerhank]

Hey Andy,

Let me say thanks again very much. You have been more help than I ever could have hoped for.

ok here we go.

I downloaded the new java app, went back into there and deleted the temp files (button under control panel)

I didn't have to press enter after pasting "exit" into the cmd line, it just exited on its own. Is that ok?
(for the ventura...)

I think I left every box checked when I ran the ccleaner program. Hope that's ok. I don't really even know what cookies are but I always delete them from internet properties - so I continued here.

I think all you wanted was the policy key results and a new hijackthis log. So...

Policy key results

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"ScanWithAntiVirus"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

New hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:01:42 PM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {10EC6CEC-5A1D-4E4E-AB85-8CC516F2A687} (AICPAViewer.clsViewer) - http://www.cpa-exam.org/AICPATutorial/inst...AICPAViewer.cab
O16 - DPF: {3EEFCD4B-E9FD-4601-BE5D-C5C1776E51D3} (AICPASSV.Spreadsheet) - http://www.cpa-exam....tall/SSItem.cab
O16 - DPF: {4DCCD2FC-132F-45EC-BFDA-72235B85047C} (AICPAAuthLit.AuthLitItem) - http://www.cpa-exam....ll/SimItems.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149204239515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {909A35CA-61DC-4437-887E-30ED6D89F6C8} (AICPAUI.ucHyperlink) - http://www.cpa-exam....all/General.cab
O16 - DPF: {96F2228B-0D43-48AC-B857-29972C87EBA4} (AICPACR.ConstructedResponse) - http://www.cpa-exam....tall/CRItem.cab
O16 - DPF: {D4C9E474-9A6C-4FBF-B13A-4BE2BDD34FD5} (AICPA treeView control) - http://www.cpa-exam.org/AICPATutorial/inst...CPAViewerIL.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

Thanks Andy,
Jon