Oye! I`m suffering from VIRUS

Status
Not open for further replies.

IG

Journeyman
@it_wazzant_me....dude i made heap big mistake and removed the title line from my ie.dont remeber how toi put it back on.how do i do it???
 

IG

Journeyman
@it _wazznt_me: nvm..got it back on.i remeoved the first few lines from my logfile cos i dint think i wud be needed.
i got the removal tool from sophos and ran it.did not detect anythin.neither did stinger.only thing is avg keeps warning that i got agobot in my system .removes it ever time i run it,but warns again.a few days back my firewalls stopped working.i used zonealarm at first..but it gave trouble so i shifted to sygate..that gave trouble as well so i tried kerio last night.thing is as soon as i use the firewall to block winmon and lsa shell export from acessing the net,my connection stops working.its online but no data flow.and the scan dont detect sasser either.
anyways i have run avg antivirus,mcaffee stinger and the sdbot removal tool from sophos.removed the stuff u told me to remove using hijack this.
here's my logfile :)


Logfile of HijackThis v1.97.7
Scan saved at 11:12:39 PM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
F:\Softwares\sdbotgui.com
F:\Softwares\HijackThis.exe
C:\WINDOWS\System32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.rediff.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mistakes Are Always Perfect
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunOnce: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunOnce: [ Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /ErIEIndex
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E26C00-3490-44C1-9274-0D43D65F02C7}: NameServer = 202.144.10.50 202.144.66.6

is it time i formatted again??
 

it_waaznt_me

Coming back to life ..
IG said:
Logfile of HijackThis v1.97.7 <-- Btw .. This is an ancient version of HJT ..
Platform: Windows XP SP1 (WinNT 5.01.2600) <-- You should install SP2

C:\WINDOWS\System32\winmon.exe <-- Kill this process first

To proceed with your HijackThis log, Run HijackThis again and put a CheckMark next to these entries and Click on Fix Checked.
Please make sure that all Internet Explorer and Windows Explorer windows are closed.
O4 - HKCU\..\RunOnce: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunOnce: [ Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /ErIEIndex

And did you applied the Microsoft Patch described Here ..?
 

IG

Journeyman
tried killing winmon not dying...sdbot.gui is the sophos tool to remove sdbot infection.
sp2 mite not install...no need to elaborate :p
where can i get a more recent version of hjt? wasnt it on a digit cd sometime back?
btw is there a prob with the windows cleaner? i use it to clean the cookies and all at startup.
 

it_waaznt_me

Coming back to life ..
HijackThis can be found here ... I was editing the post while you replied to it ... :p ...


And Btw .. Anything is possible ;) ..
 
OP
S

sr_ultimate

Journeyman
yaar whole of my computer is now dumped , I deleted the svchostt and did the fix mbr but now my whole computer wont start .
Now it goes like this

it does not take 98 as before and XP is gone too
I think it will be better to buy a new hard disk ,will it cure it
 

IG

Journeyman
kaspersky dont find a virus but avg keeps finding agobot and removing it everytime i run it....format here i come!!
 

Wildstyle

Broken In
And remember, you may remove Redlof (if that's what you got) successfully from memory, but it WILL stay hidden inside any HTML files you have got, as it plants it's code inside every HTML page it can find. If you even view those HTML files in your browser, you'll get the virus again.

So keep an anti-virus installed and running. Enable any live protection it has. Please keep an anti-virus running, as the performance hit is well worth the security it offers in those days of sneaky viruses.
 

FunkyB

Broken In
hi there ppl need ur help big time...!
my friends comp has been infected by spyware and we just cant rid of it. hav used both AdAware and Spybot...they both report some infection each time and then clean them but it keeps coimn back. everytime i try to surf, mi IE gets redirected to some page claimin to help me remove the spyware. spybot shows an assortment of names and cleans them but one of the called dialler just doesnt go. spybot says that it cant remove it. hav updated both ad aware and spybot but to no avail. am postin the HiJackThis and the AdAware log files. plz help asap...


Logfile of HijackThis v1.97.7
Scan saved at 00:10:18, on 24/09/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\soundman.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [winspool] C:\WINNT\System32\winspoolx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: Yahoo! Chat 1.3 - *jcs.chat.dcn.yahoo.com/c174/chat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - *v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38173.0277546296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - *download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B55D300-6B8E-43B3-B9D0-9D173F34C4B6}: NameServer = 172.16.0.1,202.54.9.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B55D300-6B8E-43B3-B9D0-9D173F34C4B6}: NameServer = 172.16.0.1,202.54.9.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B55D300-6B8E-43B3-B9D0-9D173F34C4B6}: NameServer = 172.16.0.1,202.54.9.1




Lavasoft Ad-aware Personal Build 6.181
Logfile created on :23 September 2004 23:53:09
Created with Ad-aware Personal, free for private use.
Using reference-file :01R341 14.09.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R341 14.09.2004
Internal build : 275
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1336435 Bytes
Signature data size : 1314779 Bytes
Reference data size : 21592 Bytes
Signatures total : 29077
Target categories : 10
Target families : 542

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:39 %
Total physical memory:228848 kb
Available physical memory:88872 kb
Total page file size:732304 kb
Available on page file:591972 kb
Total virtual memory:2097024 kb
Available virtual memory:2054672 kb
OS:Windows 2000

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


23-09-2004 23:53:09 - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 23-09-2004 18:16:30
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:39
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:41
BasePriority : Normal
FileSize : 86 KB
FileVersion : 5.00.2195.3940
ProductVersion : 5.00.2195.3940
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:06:36
Last modified : 22/07/2002 06:35:04

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:41
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.00.2195.5430
ProductVersion : 5.00.2195.5430
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
OriginalFilename : lsasrv.dll and lsass.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:16:41
Last modified : 22/07/2002 06:35:04

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:46
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:23:09
Last modified : 07/12/1999 04:00:00

#:6 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 23-09-2004 18:16:47
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.01.10
ProductVersion : 1.01.10
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 12/09/2002 14:22:38
Last accessed : 23/09/2004 18:19:19
Last modified : 12/09/2002 14:22:38

#:7 [nisum.exe]
FilePath : C:\Program Files\Norton Internet Security\
ThreadCreationTime : 23-09-2004 18:16:48
BasePriority : Normal
FileSize : 137 KB
FileVersion : 6.01.1005
ProductVersion : 6.01.1005
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security NISUM
InternalName : NISUM
OriginalFilename : NISUM.exe
ProductName : Norton Internet Security
Created on : 20/09/2002 21:15:12
Last accessed : 23/09/2004 18:06:44
Last modified : 20/09/2002 21:15:12

#:8 [lexbces.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:53
BasePriority : Normal
FileSize : 278 KB
FileVersion : 5,12,00,00
ProductVersion : 5,12,00,00
Copyright : (C) 1993 - 2000 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 29/01/2003 11:06:41
Last accessed : 23/09/2004 18:16:53
Last modified : 07/06/2000 07:08:06

#:9 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:53
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.4299
ProductVersion : 5.00.2195.4299
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 29/01/2003 16:11:19
Last accessed : 23/09/2004 18:16:53
Last modified : 22/07/2002 06:35:04

#:10 [lexpps.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:53
BasePriority : Normal
FileSize : 166 KB
FileVersion : 5,12,00,00
ProductVersion : 5,12,00,00
Copyright : (C) 1993 - 2000 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 29/01/2003 11:06:41
Last accessed : 23/09/2004 18:16:53
Last modified : 07/06/2000 07:04:40

#:11 [cdantsrv.exe]
FilePath : C:\WINNT\System32\DRIVERS\
ThreadCreationTime : 23-09-2004 18:16:54
BasePriority : Normal
FileSize : 31 KB
FileVersion : 3.22.020
ProductVersion : 3.22.020 Windows NT 2000/12/15
Copyright : Copyright (c) C-Dilla and Macrovision 1993-2000
CompanyName : C-Dilla Ltd
FileDescription : C-Dilla RTS Service
InternalName : CDANTSRV
OriginalFilename : CDANTSRV.EXE
ProductName : CD-Secure/CD-Compress Windows NT
Created on : 15/01/2001 09:50:24
Last accessed : 23/09/2004 18:16:54
Last modified : 15/01/2001 09:50:24

#:12 [ccpxysvc.exe]
FilePath : C:\Program Files\Norton Internet Security\
ThreadCreationTime : 23-09-2004 18:16:54
BasePriority : Normal
FileSize : 33 KB
FileVersion : 6.01.1005
ProductVersion : 6.01.1005
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security Proxy Service
InternalName : ccPxySvc
OriginalFilename : ccPxySvc.exe
ProductName : Norton Internet Security
Created on : 20/09/2002 21:13:50
Last accessed : 23/09/2004 18:23:10
Last modified : 20/09/2002 21:13:50

#:13 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 23-09-2004 18:16:54
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:23:09
Last modified : 07/12/1999 04:00:00

#:14 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 23-09-2004 18:16:55
BasePriority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright (C) Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 23/02/2001 04:37:30
Last accessed : 23/09/2004 18:16:55
Last modified : 23/02/2001 04:37:30

#:15 [navapsvc.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton AntiVirus\
ThreadCreationTime : 23-09-2004 18:16:56
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.00.1104
ProductVersion : 9.00.1104
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 19/08/2002 17:05:38
Last accessed : 23/09/2004 18:19:19
Last modified : 19/08/2002 17:05:38

#:16 [nprotect.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ThreadCreationTime : 23-09-2004 18:17:01
BasePriority : Normal
FileSize : 132 KB
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
Copyright : Copyright (C) 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
OriginalFilename : NPROTECT.EXE
ProductName : Norton Utilities
Created on : 23/09/2004 15:30:00
Last accessed : 23/09/2004 18:06:51
Last modified : 14/08/2002 00:33:00

#:17 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:17:04
BasePriority : Normal
FileSize : 65 KB
FileVersion : 5.00.2195.3649
ProductVersion : 5.00.2195.3649
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 31/07/2004 10:32:30
Last accessed : 23/09/2004 18:17:04
Last modified : 22/07/2002 06:35:04

#:18 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:17:05
BasePriority : Normal
FileSize : 115 KB
FileVersion : 4.71.2195.1
ProductVersion : 4.71.2195.1
Copyright : Copyright (C) Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 31/07/2004 10:32:23
Last accessed : 23/09/2004 18:17:05
Last modified : 22/07/2002 06:35:04

#:19 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 23-09-2004 18:17:05
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0070
ProductVersion : 1.50.1085.0070
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 31/07/2004 10:32:44
Last accessed : 23/09/2004 18:17:05
Last modified : 22/07/2002 06:35:04

#:20 [mspmspsv.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 23-09-2004 18:17:06
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
OriginalFilename : MSPMSPSV.EXE
ProductName : Microsoft (R) DRM
Created on : 29/01/2003 11:35:55
Last accessed : 23/09/2004 18:17:06
Last modified : 01/05/2001 11:36:22

#:21 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:17:07
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:23:09
Last modified : 07/12/1999 04:00:00

#:22 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 23-09-2004 18:17:07
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:23:09
Last modified : 07/12/1999 04:00:00

#:23 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 23-09-2004 18:21:46
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3502.5321
ProductVersion : 5.00.3502.5321
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 31/07/2004 10:32:38
Last accessed : 23/09/2004 18:20:33
Last modified : 22/07/2002 06:35:04

#:24 [symtray.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 23-09-2004 18:21:46
BasePriority : Normal
FileSize : 84 KB
FileVersion : 2003.6.49
ProductVersion : 2003.6.49
Copyright : Copyright (c) 1997-2002 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton SystemWorks SymTray
InternalName : SymTray.exe
OriginalFilename : SymTray.exe
ProductName : Norton SystemWorks
Created on : 28/08/2002 19:14:54
Last accessed : 23/09/2004 18:21:47
Last modified : 28/08/2002 19:14:54

#:25 [soundman.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 121 KB
FileVersion : 4.1
ProductVersion : 4.1
Copyright : Copyright (c) 2000-2001 Avance Logic, Inc.
CompanyName : Avance Logic, Inc.
FileDescription : Avance Sound Effect Manager
InternalName : SoundMan
OriginalFilename : SoundMan.exe
ProductName : Avance Sound Effect Manager v.4.1
Created on : 29/01/2003 11:00:12
Last accessed : 23/09/2004 18:20:46
Last modified : 16/01/2002 16:34:52

#:26 [lxsupmon.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 775 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Lexmark
FileDescription : Supplies Monitor
InternalName : LXSUPMON
OriginalFilename : LXSUPMON.RC
ProductName : Lexmark Supplies Monitor
Created on : 30/04/2003 11:49:00
Last accessed : 23/09/2004 18:20:47
Last modified : 07/06/2000 07:31:38

#:27 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.02.05
ProductVersion : 1.02.05
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 20/09/2002 21:12:50
Last accessed : 23/09/2004 18:20:49
Last modified : 20/09/2002 21:12:50

#:28 [createcd.exe]
FilePath : C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 256 KB
FileVersion : 4.02S (287)
ProductVersion : 4.02S (287)
Copyright : Copyright (c) 1996-2000 Adaptec, Inc.
CompanyName : Adaptec
FileDescription : Adaptec Create CD
InternalName : createcd.exe
OriginalFilename : createcd.exe
ProductName : Easy CD Creator
Created on : 24/03/2004 07:49:17
Last accessed : 23/09/2004 18:21:33
Last modified : 24/03/2004 07:49:50

#:29 [ctfmon.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 8 KB
FileVersion : 1.00.2409.7 built by: Lab06_N
ProductVersion : 1.00.2409.7
Copyright : Copyright (C) Microsoft Corporation. 1981-2001
CompanyName : Microsoft Corporation
FileDescription : Cicero Loader
InternalName : CICLOAD
OriginalFilename : CICLOAD.EXE
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 20/02/2001 07:39:54
Last accessed : 23/09/2004 18:17:30
Last modified : 20/02/2001 07:39:54

#:30 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 4768 KB
FileVersion : 6.2.0133
ProductVersion : Version 6.2
Copyright : Copyright (c) Microsoft Corporation 1997-2004
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : MSN Messenger
Created on : 18/04/2004 17:15:08
Last accessed : 23/09/2004 18:20:19
Last modified : 18/04/2004 17:15:08

#:31 [ymsgr_tray.exe]
FilePath : C:\PROGRA~1\Yahoo!\MESSEN~1\
ThreadCreationTime : 23-09-2004 18:21:54
BasePriority : Normal
FileSize : 88 KB
Created on : 23/09/2004 15:51:46
Last accessed : 23/09/2004 18:07:47
Last modified : 21/05/2004 07:19:52

#:32 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 23-09-2004 18:22:58
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 10/08/2004 19:43:12
Last accessed : 23/09/2004 17:27:42
Last modified : 12/07/2003 15:30:20

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin6.dnserrobj


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin6.dnserrobj.1


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{444a5674-ff85-45d4-9ae2-4199d8d70c85}


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 3


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.windowws.

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "*www.windowws.cc/hp.htm?id=632"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "*www.windowws.cc/hp.htm?id=632"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.windowws.cc

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "*www.windowws.cc/hp.htm?id=632"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "*www.windowws.cc/hp.htm?id=632"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Barabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistantabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "about:blank"


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 4
Objects found so far: 7


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : File
Data : 2h8cer1lzoi96.dll
Category : Malware
Comment :
Object : C:\WINNT\System32\
FileSize : 56 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2004
FileDescription : plugin6 Module
InternalName : plugin6
OriginalFilename : plugin6.DLL
ProductName : plugin6 Module
Created on : 10/08/2004 07:56:05
Last accessed : 23/09/2004 18:24:40
Last modified : 10/08/2004 07:56:05




CoolWebSearch Object recognized!
Type : File
Data : 2z2v5cwyi9bs.dll
Category : Malware
Comment :
Object : C:\WINNT\System32\
FileSize : 56 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2004
FileDescription : plugin6 Module
InternalName : plugin6
OriginalFilename : plugin6.DLL
ProductName : plugin6 Module
Created on : 10/08/2004 07:56:02
Last accessed : 23/09/2004 18:24:40
Last modified : 10/08/2004 07:56:02



CoolWebSearch Object recognized!
Type : File
Data : e18u4jzix8n6r.dll
Category : Malware
Comment :
Object : C:\WINNT\System32\
FileSize : 56 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2004
FileDescription : plugin6 Module
InternalName : plugin6
OriginalFilename : plugin6.DLL
ProductName : plugin6 Module
Created on : 10/08/2004 18:21:17
Last accessed : 23/09/2004 18:24:45
Last modified : 10/08/2004 18:21:17




Scanning Hosts file(C:\WINNT\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 10



Possible Browser Hijack attempt Object recognized!
Type : File
Data : free xxx pics & movies.url
Category : Misc
Comment : Item referrs to blacklisted Site: *gotosex4all.com
Object : C:\Documents and Settings\Administrator\Favorites\

Created on : 20/08/2004 06:24:14
Last accessed : 23/09/2004 18:24:58
Last modified : 23/09/2004 17:20:34




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}


CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : uninstal


CoolWebSearch Object recognized!
Type : File
Data : free xxx pics & movies.url
Category : Malware
Comment :
Object : c:\documents and settings\administrator\favorites\

Created on : 20/08/2004 06:24:14
Last accessed : 23/09/2004 18:24:58
Last modified : 23/09/2004 17:20:34



CoolWebSearch Object recognized!
Type : File
Data : ieengine.exe
Category : Malware
Comment :
Object : c:\program files\internet explorer\

Created on : 20/08/2004 06:24:14
Last accessed : 23/09/2004 18:24:58
Last modified : 23/09/2004 17:20:35



Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 5
Objects found so far: 16


23:54:59 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:01:49:27
Objects scanned :45188
Objects identified :16
Objects ignored :0
New objects :16
 

it_waaznt_me

Coming back to life ..
To proceed with your HijackThis log, Run HijackThis again and put a CheckMark next to these entries and Click on Fix Checked.
Please make sure that all Internet Explorer and Windows Explorer windows are closed.

**** said:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.exe <-- Kill this process first from Task Manager and delete the file after reboot..

04 - HKLM\..\Run: [winspool] C:\WINNT\System32\winspoolx.exe
O4 - Global Startup: winlogin.exe <-- Virus
O15 - Trusted Zone: *.greg-search.com
 
Status
Not open for further replies.
Top Bottom