from: rkhanso
hijack this:
----------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:13:51 AM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\roger\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makarios.us/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.155.207.61
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKCU\..\Run: [XSC SIP Client] "C:\Program Files\X-Lite\X-Lite.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} -
%windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/...b?1122994595125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdat...b?1122994633453
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) -
http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) -
http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) -
http://pccheckup.del...ll/gtdownde.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-loc/...800/mcfscan.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) -
http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{71D1CE98-96EA-4AAA-93A6-415A0846E6B4}: NameServer = 205.171.3.65,205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file
missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file
missing)
O23 - Service: DisplayNetController - Unknown owner - c:\windows\system32\dllcache\winupdate\crss.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware
4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal
Firewall 4\kpf4ss.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net -
C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner -
%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file
missing)
Bit Defender
------------------
BitDefender Online Scanner - Real Time Virus Report
Generated at: Sun, Aug 20, 2006 - 05:05:42
Scan Info
Scanned Files
1052175
Infected Files
8
Virus Detected
Generic.Malware.dld!!.B0CCAAF1
1
Win32.Bagle.BM@mm
1
Trojan.Firedaemon.C
2
Win32.MyPics.A@mm
1
Backdoor.Iroffer.1
2
Trojan.Runas.H
ewido:
--------------
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:11:27 AM 8/20/2006
+ Scan result:
:mozilla.17:C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\cookies.txt -> TrackingCookie.Trafic : No action taken.
::Report end
0
my logs
Started by Roger, Aug 20 2006 02:16 PM
6 replies to this topic
#2 OFFLINE
-
- Moderators
-
- 8,858 posts
I hate computers
- Gender:Male
Posted 20 August 2006 - 04:33 PM
Open hijack this and choose to do a system scan only. Check off the following entry and then press "fixed checked".
O23 - Service: DisplayNetController - Unknown owner - c:\windows\system32\dllcache\winupdate\crss.exe (file missing)
Now reboot. Once your computer is back up and running:
Run Kaspersky WebScanner
In your next reply I want both the kaspersky, superantispyware, and a new hijack this log as well. Before you make the new hijack this log open up notepad and go to format and make sure word wrap is not checked.(makes the log cleaner to read)
O23 - Service: DisplayNetController - Unknown owner - c:\windows\system32\dllcache\winupdate\crss.exe (file missing)
Now reboot. Once your computer is back up and running:
Run Kaspersky WebScanner
- Please go HERE and click Kaspersky Online Scanner
- Read and Accept the Agreement
- You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- If you see a Windows dialog asking if you want to install this software, click the Install button.
- The program will launch and then begin downloading the latest definition files,
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
- Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
- When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
In your next reply I want both the kaspersky, superantispyware, and a new hijack this log as well. Before you make the new hijack this log open up notepad and go to format and make sure word wrap is not checked.(makes the log cleaner to read)
#3 OFFLINE
-
- Members
-
- 4 posts
Newbie
Posted 20 August 2006 - 11:40 PM
Kaspersky:
--------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 20, 2006 6:33:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/08/2006
Kaspersky Anti-Virus database records: 216615
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 142174
Number of viruses found: 8
Number of infected objects: 22 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:20:18
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\cert8.db Object is locked skipped
C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\history.dat Object is locked skipped
C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\key3.db Object is locked skipped
C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\parent.lock Object is locked skipped
C:\Documents and Settings\roger\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC\WinVNC\omnithread_rt.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.g skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC\WinVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1540 skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC\WinVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC.zip/WinVNC/omnithread_rt.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.g skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC.zip/WinVNC/VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1540 skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC.zip/WinVNC/vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC.zip ZIP: infected - 3 skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\roger\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\roger\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\roger\ntuser.dat.LOG Object is locked skipped
C:\Program Files\a-squared Free\Quarantine\8a950c216efe97c6a532808f250fce54.a2q/Program Files/RealVNC/VNC4/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\a-squared Free\Quarantine\8a950c216efe97c6a532808f250fce54.a2q ZIP: infected - 1 skipped
C:\Program Files\a-squared Free\Quarantine\9226ebd94e6ceed0510541faa3938b72.a2q/Program Files/RealVNC/VNC4/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\a-squared Free\Quarantine\9226ebd94e6ceed0510541faa3938b72.a2q ZIP: infected - 1 skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\No-IP\Service.log Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\SolarWinds\2003 Standard Edition\TFTP-Server.exe Infected: not-a-virus:Server-FTP.Win32.PremierServer.Tftp.503 skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\debug.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\debug.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\error.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\error.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\hips.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\hips.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\ids.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\ids.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\network.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\network.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\system.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\system.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\warning.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\warning.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\web.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\web.log.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP599\A0089419.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP599\A0089420.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP599\A0091418.exe Infected: Packed.Win32.PePatch.ah skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP609\A0095186.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP609\A0095186.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP609\A0095186.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP611\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\winupdate\SERV-U.INI Infected: Trojan.BAT.Zapchast skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_734.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
---------------------------------------------------------------------------------
superantispyware:
SUPERAntiSpyware Scan Log
Generated 08/20/2006 at 07:06 AM
Core Rules Database Version : 3056
Trace Rules Database Version: 1103
Memory threats detected : 0
Registry threats detected : 0
File threats detected : 6
Adware.Tracking Cookie
C:\Documents and Settings\roger\Cookies\roger@atwola[1].txt
C:\Documents and Settings\roger\Cookies\roger@toplist[1].txt
C:\Documents and Settings\Brenda\Cookies\brenda@atwola[2].txt
C:\Documents and Settings\Brenda\Cookies\brenda@revsci[1].txt
C:\Documents and Settings\Brenda\Cookies\brenda@reztrack[1].txt
C:\Documents and Settings\Brenda\Cookies\brenda@www.firsttracksonline[2].txt
---------------------------------------------------------
Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 6:39:36 PM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\roger\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makarios.us/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.155.207.61
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKCU\..\Run: [XSC SIP Client] "C:\Program Files\X-Lite\X-Lite.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122994595125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122994633453
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...800/mcfscan.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{71D1CE98-96EA-4AAA-93A6-415A0846E6B4}: NameServer = 205.171.3.65,205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
Thanks.
--------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 20, 2006 6:33:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/08/2006
Kaspersky Anti-Virus database records: 216615
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 142174
Number of viruses found: 8
Number of infected objects: 22 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:20:18
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\cert8.db Object is locked skipped
C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\history.dat Object is locked skipped
C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\key3.db Object is locked skipped
C:\Documents and Settings\roger\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\parent.lock Object is locked skipped
C:\Documents and Settings\roger\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC\WinVNC\omnithread_rt.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.g skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC\WinVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1540 skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC\WinVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC.zip/WinVNC/omnithread_rt.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.g skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC.zip/WinVNC/VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1540 skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC.zip/WinVNC/vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Documents and Settings\roger\Desktop\Palm software\PalmVNC-WinVNC.zip ZIP: infected - 3 skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Application Data\Mozilla\Firefox\Profiles\3t0qidz6.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\roger\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\roger\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\roger\ntuser.dat.LOG Object is locked skipped
C:\Program Files\a-squared Free\Quarantine\8a950c216efe97c6a532808f250fce54.a2q/Program Files/RealVNC/VNC4/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\a-squared Free\Quarantine\8a950c216efe97c6a532808f250fce54.a2q ZIP: infected - 1 skipped
C:\Program Files\a-squared Free\Quarantine\9226ebd94e6ceed0510541faa3938b72.a2q/Program Files/RealVNC/VNC4/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\a-squared Free\Quarantine\9226ebd94e6ceed0510541faa3938b72.a2q ZIP: infected - 1 skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\No-IP\Service.log Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\SolarWinds\2003 Standard Edition\TFTP-Server.exe Infected: not-a-virus:Server-FTP.Win32.PremierServer.Tftp.503 skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\debug.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\debug.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\error.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\error.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\hips.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\hips.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\ids.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\ids.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\network.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\network.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\system.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\system.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\warning.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\warning.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\web.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall 4\logs\web.log.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP599\A0089419.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP599\A0089420.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP599\A0091418.exe Infected: Packed.Win32.PePatch.ah skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP609\A0095186.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP609\A0095186.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP609\A0095186.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{4FDF611D-D33A-456D-9BDD-E76BC7517ADB}\RP611\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\winupdate\SERV-U.INI Infected: Trojan.BAT.Zapchast skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_734.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
---------------------------------------------------------------------------------
superantispyware:
SUPERAntiSpyware Scan Log
Generated 08/20/2006 at 07:06 AM
Core Rules Database Version : 3056
Trace Rules Database Version: 1103
Memory threats detected : 0
Registry threats detected : 0
File threats detected : 6
Adware.Tracking Cookie
C:\Documents and Settings\roger\Cookies\roger@atwola[1].txt
C:\Documents and Settings\roger\Cookies\roger@toplist[1].txt
C:\Documents and Settings\Brenda\Cookies\brenda@atwola[2].txt
C:\Documents and Settings\Brenda\Cookies\brenda@revsci[1].txt
C:\Documents and Settings\Brenda\Cookies\brenda@reztrack[1].txt
C:\Documents and Settings\Brenda\Cookies\brenda@www.firsttracksonline[2].txt
---------------------------------------------------------
Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 6:39:36 PM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\roger\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makarios.us/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.155.207.61
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKCU\..\Run: [XSC SIP Client] "C:\Program Files\X-Lite\X-Lite.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122994595125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122994633453
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...800/mcfscan.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{71D1CE98-96EA-4AAA-93A6-415A0846E6B4}: NameServer = 205.171.3.65,205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
Thanks.
#4 OFFLINE
-
- Moderators
-
- 8,858 posts
I hate computers
- Gender:Male
Posted 21 August 2006 - 01:03 AM
Awesome job. Thanks for the logs.
First some of the files it found were in your system restore points so we need to clean those up.
To Flush the infected restore points:
Click Start Menu > All Programs > Accessories > System Tools > SystemRestore
Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.
Next goto Start Menu > Run > type
cleanmgr
Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.
Also you need to run ccleaner and clean some stuff up. If you don't have it you can get it here:
http://www.ccleaner....adpage.aspx?f=2
Just open it up and choose run cleaner.
Also you need to find
C:\WINDOWS\system32\dllcache\winupdate\SERV-U.INI <- Delete this file
The easiest way to find this file would be to go to start>Run and then enter
%systemroot%\system32\dllcache\winupdate\ and press enter. Then delete the above file.
If there are more files besides the one I listed in that folder please upload them to virus total and delete them if they are found to be infected:
http://www.virustota.../en/indexf.html
After you remove that file open hijack this and choose to do a system scan only. Put a check mark next to the below entry and press "fix checked".
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O23 - Service: DisplayNetController - Unknown owner - c:\windows\system32\dllcache\winupdate\crss.exe (file missing)
It might also be a good idea to go ahead and update your java(its pretty out of date.) Get the new version here:
http://www.java.com/...nload/index.jsp
First some of the files it found were in your system restore points so we need to clean those up.
To Flush the infected restore points:
Click Start Menu > All Programs > Accessories > System Tools > SystemRestore
Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.
Next goto Start Menu > Run > type
cleanmgr
Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.
Also you need to run ccleaner and clean some stuff up. If you don't have it you can get it here:
http://www.ccleaner....adpage.aspx?f=2
Just open it up and choose run cleaner.
Also you need to find
C:\WINDOWS\system32\dllcache\winupdate\SERV-U.INI <- Delete this file
The easiest way to find this file would be to go to start>Run and then enter
%systemroot%\system32\dllcache\winupdate\ and press enter. Then delete the above file.
If there are more files besides the one I listed in that folder please upload them to virus total and delete them if they are found to be infected:
http://www.virustota.../en/indexf.html
After you remove that file open hijack this and choose to do a system scan only. Put a check mark next to the below entry and press "fix checked".
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O23 - Service: DisplayNetController - Unknown owner - c:\windows\system32\dllcache\winupdate\crss.exe (file missing)
It might also be a good idea to go ahead and update your java(its pretty out of date.) Get the new version here:
http://www.java.com/...nload/index.jsp
#5 OFFLINE
-
- Members
-
- 4 posts
Newbie
Posted 21 August 2006 - 04:00 AM
OK, I did all the steps, except the last one....
O23 - Service: DisplayNetController - Unknown owner - c:\windows\system32\dllcache\winupdate\crss.exe (file missing) didn't show up on the hijack this list - but I deleted the other 2 items.
Am I all set, then?
Suggestions on how to prevent future infections? I'd guess "don't install questionable software" "don't open unknown email attachments"
But I thought I was pretty obedient to those general rules...
By the way - Thanks for the help.
O23 - Service: DisplayNetController - Unknown owner - c:\windows\system32\dllcache\winupdate\crss.exe (file missing) didn't show up on the hijack this list - but I deleted the other 2 items.
Am I all set, then?
Suggestions on how to prevent future infections? I'd guess "don't install questionable software" "don't open unknown email attachments"
But I thought I was pretty obedient to those general rules...
By the way - Thanks for the help.
#6 OFFLINE
-
- Members
-
- 4 posts
Newbie
Posted 21 August 2006 - 04:14 AM
One other thing - I still have SUPERAntispyware installed/running. Should I remove any of those programs you had me install? Or just use one of them in particular?
#7 OFFLINE
-
- Moderators
-
- 8,858 posts
I hate computers
- Gender:Male
Posted 21 August 2006 - 04:25 AM
Sorry about that entry. It was in the first log but not the second I will often compare the two to see whats changed between them and I must have cut it from the second one. Its a good thing it didn't show up. 
As far as not getting infected in the future I would recommend this link to you:
http://www.castlecop...tlite7736-.html (great guide by tonyklien)
If you follow all the things recommended there you should be spyware free for good.
Edit: Just saw your next post.
You should keep all of those programs and scan with them periodically. Some scan every week, and some scan once a month. Its all your choice but what you should make sure is that you don't have to much running at one time.
To disable supearantispyware from starting up with your computer open it up and go to preferences and uncheck the start up with windows box. You could also disable the show in system tray one as well.
I would only have your firewall and antivirus running full time as well as maybe one antispyware app. I don't like having a million security programs running at once because it can really slow you down.
As far as not getting infected in the future I would recommend this link to you:
http://www.castlecop...tlite7736-.html (great guide by tonyklien)
If you follow all the things recommended there you should be spyware free for good.
Edit: Just saw your next post.
You should keep all of those programs and scan with them periodically. Some scan every week, and some scan once a month. Its all your choice but what you should make sure is that you don't have to much running at one time.
To disable supearantispyware from starting up with your computer open it up and go to preferences and uncheck the start up with windows box. You could also disable the show in system tray one as well.
I would only have your firewall and antivirus running full time as well as maybe one antispyware app. I don't like having a million security programs running at once because it can really slow you down.
