Help me - Here's my log

Question

imsuchawolf 0 Newbie Poster

18 Years Ago

I was dumb and clicked a link on an IM window in AIM, and got the facebook/myspace virus......I ran a trend virus scan and adware, and the virus is still sending everyone on my list a link. I tried to look all over the internet and this website before I posted, so as not to bother you. I can't find anything that makes sense to me......I need your help! Here is my HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 4:05:55 AM, on 4/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\VSMON.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\dean\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

windows-virus

4 Contributors
25 Replies
663 Views
2 Days Discussion Span
Latest Post 18 Years Ago Latest Post by 'Stein

tayspen 28 <Insert title here>

18 Years Ago

Hi, and welcome :)

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

File list:

C:\WINDOWS\SVCHOST.EXE

We will work from there.

Post a new log

zoned 1 Light Poster

18 Years Ago

Tayspen,

found this also from another site .....

There will be a file called dr.exe or drme.exe in the root of the drive where your operating system is loaded. Mine is on the C:\ Drive so it was located in root of C:\.

1. Delete C:\dr.exe or C:\drme.exe file.

2. Show all hidden files and folders in the Folder Options from the Tools menu in explorer.

3. Stop the SCVHOST.EXE service in Task Manager. NOTE: Do not confuse this with SVCHOST.EXE or it will cause your system to shutdown if you terminate the task.

4. Delete the file C:\Windows\scvhost.exe

5. Clear your temporary internet files from IE and all the offline content.

6. Delete the dr.exe from the C:\Windows\Prefetch (if it resides there)

regards
Zoned

'Stein commented: good catch 8) +1

'Stein 150 Lapsed Skeptic

18 Years Ago

All's good, except for number 6. Instead of finding that specific file inside Prefetch, ya can just clear the entire folder... Legit programs put themselves back inside tehre automatically, and sometimes spyware just sits around in there.

So, for number 6, clear out the entire prefetch folder, but leave the folder itself.

Thanks.

'Stein 150 Lapsed Skeptic

18 Years Ago

Alrite, sorry this is alittle delayed, but let's begin with a little safeguard.

Open Program Files, and create a new folder there, and name it 'HJT'. Then, drag the HJT icon into this newly-created folder, and run a new scan.

We'll work from this new log.

Thanks again.

tayspen 28 <Insert title here>

18 Years Ago

That file is still there :mad:. Run killbox again, paste this path into the box (same one where you did it last time).

C:\WINDOWS\SVCHOST.EXE

Then check "Delete on reboot", and then reboot.

Post a new log

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

imsuchawolf 0 Newbie Poster · Answer 1 · 2006-04-20T05:00:16+00:00

Hey, I followed your exact directions....and killbox came up with a window that said "FILE ACCESS File could not be deleted." Along with two warning from my antivirus AVG that said "VIRUS DETECTED While opening file: C:\windows\svchost.exe Trojan horse IRC/BackDoor.SdBot2.AKU" - I clicked heal, and it said it is necessary to reboot the computer, however, I have read before that this virus begins to do damage after a restart, so I don't want to act too quickly......and yes, when I copied the link into killbox, it did appear below in blue so the file does indeed exist......thanks

imsuchawolf 0 Newbie Poster · Answer 2 · 2006-04-20T05:10:01+00:00

as to the second reply - i couldnt find any SCVHOST, just SVCHOST, i'm not sure of anything you mean......
as to the THIRD reply, i found the prefetch folder and deleted everything in it. just to keep ya'll up to date.......i appreciate your time

imsuchawolf 0 Newbie Poster · Answer 3 · 2006-04-20T05:40:05+00:00

here's the new log

Logfile of HijackThis v1.99.1
Scan saved at 4:43:53 PM, on 4/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\VSMON.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - https://192.168.1.25/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107046215734
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://207.101.240.245/Remote/msrdp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = IDeanYoungmanCPA.local
O17 - HKLM\Software\..\Telephony: DomainName = IDeanYoungmanCPA.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = IDeanYoungmanCPA.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = IDeanYoungmanCPA.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

imsuchawolf 0 Newbie Poster · Answer 4 · 2006-04-20T06:19:12+00:00

okay im rebooting ill get back to you in a minute

imsuchawolf 0 Newbie Poster · Answer 5 · 2006-04-20T06:31:18+00:00

okay - did the reboot on delete - here it is

Logfile of HijackThis v1.99.1
Scan saved at 5:35:10 PM, on 4/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - https://192.168.1.25/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107046215734
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://207.101.240.245/Remote/msrdp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = IDeanYoungmanCPA.local
O17 - HKLM\Software\..\Telephony: DomainName = IDeanYoungmanCPA.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = IDeanYoungmanCPA.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = IDeanYoungmanCPA.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

tayspen 28 <Insert title here> Team Colleague · Answer 6 · 2006-04-20T06:38:56+00:00

Good! it is gone :). Your log looks clean. Does everything seem to be fine?

imsuchawolf 0 Newbie Poster · Answer 7 · 2006-04-20T06:42:55+00:00

well I couldnt tell I had the virus until two times where I left AIM on for a long, long time and I came back to a hundred or so IMs, but that hasn't happened recently.....my anti-virus is warning me anymore, so that's a good sign......i'll re-post here if it should happen again
Thanks a lot! I don't know who you are or why you can sit here and help people like me, but I really appreciate it
Thanks again!

tayspen 28 <Insert title here> Team Colleague · Answer 8 · 2006-04-20T06:45:45+00:00

You are very welcome. I do it to fight the battle, The battle against malware.... And to help others :).

'Stein 150 Lapsed Skeptic Team Colleague · Answer 9 · 2006-04-20T06:47:17+00:00

EDIT: Haha forget it, you're clean enough lol

Alrite, let's fix the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v6.cab
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Alrite, after doing this, reboot into safe mode. While in safe mode, delete the following file if it's there (I jus wanna double check it's not still there):

C:\WINDOWS\svchost.exe

After fixing these, download Ewido (link in my sig. below). Download it, update its definitions, and run a scan. Be sure to save the scan log.

Post back here with a new HJT log and the Ewido log.

Thanks.

imsuchawolf 0 Newbie Poster · Answer 10 · 2006-04-20T13:21:40+00:00

Wow I appreciate this - I ran ewido and it said it could not delete some of the files after the scan, and asked me if i wanted to remove the whole archive, i said yes to all of them, but a few stood out as picture29 - which is the link I clicked on for the virus....I don't know if this is a temporary internet residual anything, but I thought I'd let you know. I did delete the three things from the HijackThis that you pointed out.
This is my grandfather's computer and he hardly knows how to use the machine....he is stressing out when things go wrong I think it'd be great to clean it up for him - here's my ewido and hjt log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           1:21:48 AM, 4/20/2006
+ Report-Checksum:      2C7C58B1


+ Scan result:


C:\Documents and Settings\dean\Cookies\dean@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@allstarhealth.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@hswmedia.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\dean\Cookies\dean@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\dean\Local Settings\Temporary Internet Files\Content.IE5\S9MZ0P2F\picture29[1].zip/picture29.scr -> Backdoor.SdBot.aad : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@2o7[2].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@ad.yieldmanager[1].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@adopt.specificclick[2].txt[/email] -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@adtrak[2].txt[/email] -> TrackingCookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@burstnet[2].txt[/email] -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@casalemedia[2].txt[/email] -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@com[2].txt[/email] -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@e-2dj6wfmiqlcjogo.stats.esomniture[2].txt[/email] -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@e-2dj6wjkyqmcpwdp.stats.esomniture[2].txt[/email] -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@e-2dj6wjkyujcjocp.stats.esomniture[2].txt[/email] -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@ivwbox[1].txt[/email] -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@rotator.adjuggler[1].txt[/email] -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@www.burstbeacon[2].txt[/email] -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Cookies\dean [email]youngman@www.myaffiliateprogram[1].txt[/email] -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Local Settings\Temp\Cookies\dean [email]youngman@www.burstbeacon[1].txt[/email] -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Dean Youngman\Local Settings\Temporary Internet Files\Content.IE5\OFRR24TH\photo[1].jpg -> Backdoor.Haxdoor.dw : Cleaned with backup
C:\Documents and Settings\HARRY BARNES\Cookies\harry [email]barnes@ad.yieldmanager[2].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HARRY BARNES\Cookies\harry [email]barnes@adopt.specificclick[2].txt[/email] -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\HARRY BARNES\Cookies\harry [email]barnes@burstnet[1].txt[/email] -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\HARRY BARNES\Cookies\harry [email]barnes@c.enhance[1].txt[/email] -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\HARRY BARNES\Cookies\harry [email]barnes@com[2].txt[/email] -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\HARRY BARNES\Cookies\harry [email]barnes@shopathomeselect[2].txt[/email] -> TrackingCookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\HARRY BARNES\Cookies\harry [email]barnes@techrepublic.com[1].txt[/email] -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\HARRY BARNES\Cookies\harry [email]barnes@www.burstbeacon[1].txt[/email] -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\HARRY BARNES\Cookies\harry [email]barnes@www.burstnet[2].txt[/email] -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\HARRY BARNES\Cookies\harry [email]barnes@www.myaffiliateprogram[2].txt[/email] -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Program Files\HJT\backups\backup-20060419-231322-557.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\RECYCLER\S-1-5-21-2102674959-2206222879-2866230195-1137\Dc74.zip/picture29.scr -> Backdoor.SdBot.aad : Cleaned with backup
C:\RECYCLER\S-1-5-21-2102674959-2206222879-2866230195-1137\Dc75.bak -> Backdoor.SdBot.aad : Cleaned with backup
E:\System Volume Information\_restore{3FCFFC23-265F-49DC-9002-4650AE7CAFF1}\RP464\A0017532.exe -> Backdoor.Ncx.a : Cleaned with backup
E:\System Volume Information\_restore{3FCFFC23-265F-49DC-9002-4650AE7CAFF1}\RP465\A0017585.exe/gg.bat -> Backdoor.Wup : Cleaned with backup
E:\WINNT\system32\ncp.exe -> Backdoor.Ncx.a : Cleaned with backup
E:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@com[1].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@cz3.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@stats3.porntrack[2].txt -> TrackingCookie.Porntrack : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@aphrodite.porntrack[1].txt -> TrackingCookie.Porntrack : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@artemis.porntrack[1].txt -> TrackingCookie.Porntrack : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@com[3].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@cz3.clickzs[3].txt -> TrackingCookie.Clickzs : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@cz4.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
E:\Documents and Settings\Dean\Cookies\dean@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
E:\Documents and Settings\Dean.IDEANYOUNGMAN\Local Settings\Temporary Internet Files\Content.IE5\KXO9E3SF\popcaploader_v6[1].spl/PopCapLoader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
E:\Documents and Settings\Dean.IDEANYOUNGMAN\Cookies\dean@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup



::Report End


Logfile of HijackThis v1.99.1
Scan saved at 1:22:30 AM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRAM FILES\EWIDO\EWIDOGUARD.EXE
C:\Program Files\ewido\ewidoctrl.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\Program Files\HJT\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - https://192.168.1.25/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107046215734
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://207.101.240.245/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = IDeanYoungmanCPA.local
O17 - HKLM\Software\..\Telephony: DomainName = IDeanYoungmanCPA.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = IDeanYoungmanCPA.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = IDeanYoungmanCPA.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

thanks!

tayspen 28 <Insert title here> Team Colleague · Answer 11 · 2006-04-20T16:57:03+00:00

tayspen 28 <Insert title here>

18 Years Ago

Well, That is a clean log :).

imsuchawolf 0 Newbie Poster · Answer 12 · 2006-04-20T19:38:33+00:00

imsuchawolf 0 Newbie Poster

18 Years Ago

Thanks buddy!!!!!

'Stein 150 Lapsed Skeptic Team Colleague · Answer 13 · 2006-04-21T06:47:02+00:00

Arg, I wouldn't be so certain you're clean jus yet. For 1, ewido found a Haxdoor variant in its scan. Haxdoor is a very bad form of malware. It steals financial passwords and sends them to hackers.

However, I'm not saying this is the case; it's just a possibility. And with luck, DMR'll step in soon :)

Until then, lets download Blacklight:

http://www.europe.f-secure.com/exclude/blacklight/blbeta.exe

Post back here with the blacklight log and a new HJT log.

Thanks.

tayspen 28 <Insert title here> Team Colleague · Answer 14 · 2006-04-21T07:52:08+00:00

Files\Content.IE5\OFRR24TH\photo[1].jpg -> Backdoor.Haxdoor.dw : Cleaned with backup

Yes but it was cleaned. The HJT log also showed no signs of it.

'Stein 150 Lapsed Skeptic Team Colleague · Answer 15 · 2006-04-21T08:25:58+00:00

True, but do ya think it's safe to assume that that's the only part of it on the system? I was jus gonna run blacklight and verify it wasn't there.

Whaddya think? (heh ure the one with more experience, so its up to ya)

tayspen 28 <Insert title here> Team Colleague · Answer 16 · 2006-04-21T08:31:36+00:00

Well. Better safe then sorry, so it wouldn't to run it...

imsuchawolf 0 Newbie Poster · Answer 17 · 2006-04-21T10:52:12+00:00

Blacklight found nothing......thanks though I appreciate the precautions!

'Stein 150 Lapsed Skeptic Team Colleague · Answer 18 · 2006-04-22T04:45:38+00:00

Ahh, alrite great, that's good news.

I apolegize for that little scare there, I jus wanted to be sure Haxdoor was all gone.

If ya could mark the thread as 'solved', it would be great.

Thanks.

imsuchawolf 0 Newbie Poster · Answer 19 · 2006-04-22T05:04:12+00:00

how do i mark it solved? i found the solution light bulb, is that it?

'Stein 150 Lapsed Skeptic Team Colleague · Answer 20 · 2006-04-22T05:16:08+00:00

Haha nah, its not the lightbulb. One of the admin must of marked it already.

We're glad we could help ya. :)

Thanks again.