Browser Hijacked
Hello,
I followed all the steps noted in the forum with no success. I spent this entire afternoon running Ad-Aware, deleting the target families, and restarting. The final step as per the forum instructions was to download HijackThis and post the log. I deleted a couple of obvious ones through HijackThis. Following is the latest log:
Thank you in advance!!
------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:55:21 AM, on 06/15/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VERITAS SOFTWARE\UPDATE MANAGER\SGTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\DEFENDER26.EXE
C:\NEWNAME25.EXE
C:\WINDOWS\AWISAM.EXE
C:\WINDOWS\SYSTEM\OWINLQEZ.EXE
C:\MY DOCUMENTS2\TSBO\MSHTA.EXE
C:\PROGRAM FILES\DIWI\SJKVKIIH.EXE
C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\QHYXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFA.EXE
C:\WINDOWS\QHYXY.EXE
C:\WINDOWS\QHYXY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {2681CEC7-C251-43B6-B1F7-CD83A00A97C9} - \
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [systemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe
O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe
O4 - HKLM\..\Run: [newname] C:\\NEWNAME25.exe
O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run
O4 - HKLM\..\Run: [browserUpdateSched] C:\WINDOWS\SYSTEM\OWINLQEZ.EXE GID003
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [iscu] "C:\My Documents2\tsbo\mshta.exe" -vt yazr
O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run
O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe
O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE
O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE
O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM\owinlqez.exe
O4 - Startup: sfutg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html
O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
-
Ugh! That's the lastest Alcra/Alcan worm which is a downloader of all the worst kinds of malware and the hardest to remove. Is your Norton a current version and up to date?
I have fix tools for this but only for Win2k and XP. I can ask around what is being recommended for Win98. It's such an assortment of nasties that I'm not sure we can repair all the damage done. You do need to get this PC off the internet ASAP as will continue to download more malware. My best recommendation at the moment is to backup all your important data and reformat/reinstall, if that is easy enough for you to do. It could take many days of cleaning and even then I can't assure you the damage can be repaired. I'll try though if you have no other option.
For starters, be sure to uninstall NewdotNet through this procedure only:
http://www.newdotnet.com/removal.html
These two utilities may help:
There is this free Utility from Dr. Web
FREE Dr.Web CureIt! Curing Utility
http://download.drweb.com/drweb+cureit/
(follow the directions given on that page)
And you probably need an AntiTrojan
a-squared has a free edition and will run on Windows98
http://www.emsisoft.com/en/software/free/
Follow up with updating Ad-aware with today's latest update and a full system scan in SAFE MODE
0 -
By the way, following is the original HijackThis Log before I deleted some obvious files:
----------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:30:13 PM, on 06/14/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\DEFENDER26.EXE
C:\WINDOWS\SYSTEM\DWDSREGT.EXE
C:\WINDOWS\AWISAM.EXE
C:\MY DOCUMENTS2\TSBO\MSHTA.EXE
C:\PROGRAM FILES\DIWI\SJKVKIIH.EXE
C:\WINDOWS\SYSTEM\OWINLQEZ.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\QHYXY.EXE
C:\WINDOWS\QHYXY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\QHYXY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [systemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe
O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe
O4 - HKLM\..\Run: [newname] C:\\NEWNAME25.exe
O4 - HKLM\..\Run: [{11-16-6F-F2-ZN}] C:\WINDOWS\SYSTEM\DWDSREGT.EXE GID003
O4 - HKLM\..\Run: [surfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run
O4 - HKLM\..\Run: [browserUpdateSched] C:\WINDOWS\SYSTEM\OWINLQEZ.EXE GID003
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [iscu] "C:\My Documents2\tsbo\mshta.exe" -vt yazr
O4 - HKCU\..\Run: [surfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run
O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe
O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE
O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Startup: Z_Start.lnk = ?
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM\owinlqez.exe
O4 - Startup: sfutg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html
O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
0 -
Thank you so much for your reply. I appreciate it very much!
I immediately took my pc off the internet. Furthemore, I performed the following:
- Uninstalled NewdoNet.
- Ran Dr. Web CureIt but did not find anything.
- Ran a-squared and deleted 5 Adwares
- Ran a full system scan with Ad-Aware with yesterday's update (because my pc is off the internet) in Safe Mode.
- Rebooted the system to normal mode and re-ran Ad-Aware (w/ yesterday's update) and found/deleted 1 file (Win32.Trojan.Downloader), which was located in C:\WINDOWS\bcgbkrm.exe
However, whenever I open Windows Explorer, I get an ACCESS DENIED message from Norton Antivirus for the following two files:
- C:\comscore.exe
- C:\webnexmk.exe
Also, while attempting to Delete a file named Startup: sfutg.exe through HijackThis I got a message stating "Unable to Delete" and to use a process killer like "ProcView" to shutdown the program and Run HijackThis again to delete the file. So far, I installed ProcView but I'm not sure if I should use it.
Should I have connected to the internet and downloaded today's Ad-Aware updates? Would it have made a big difference? What about the vulrenability issue?
Following is the latest HijackThis log:
-------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:42:40 PM, on 06/15/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\AWISAM.EXE
C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\QHYXY.EXE
C:\WINDOWS\QHYXY.EXE
C:\WINDOWS\QHYXY.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE
C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [systemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe
O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe
O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe
O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE
O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run
O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE
O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Startup: sfutg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html
O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
0 -
I'm not sure the latest updates for Adaware are going to make a big difference but you can download the updates manually. This is explained in the Help menu of Adaware SE under "Manual Updates"
1. Close Ad-Aware
2. Download the latest definition file in a ZIP file from Lavasoft's website*
http://www.lavasoftusa.com/support/download/
3. Save it to a temporary location (put a copy onto removable media and transfer to the affected computer)
4. When complete, unzip the contents of the file, either through your favorite ZIP utility or through built-in support in Windows, to the installation directory of Ad-Aware, which is usually C:\Program Files\Lavasoft\Ad-Aware SE Personal\
5. Open Ad-Aware
You can then confirm the latest definition file is installed by looking at the Initialization Status on the main Status screen.
.................................................................
You need to run the full system scan in SAFE MODE:
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
...............................
I need to know what version of Norton Antivirus you are running and the latest update you have for it. Your antivirus program is the other key to this infection.
0 -
I am running Norton Antivirus 2003 with the latest updates, as of this past Wed.
I ran it in safe mode and it found and deleted Win32.Trojan.Downloader. I then ran Ad-Aware (w/ the original updates) and found and deleted the following:
- Win32.Trojan.Downloader in the C:\WINDOWS\qhyxy.exe
- MRU list - winzip recently used archives - HKEY_USERS:.DEFAULT\SOFTWARE\Nico Mak Computing\winzip\filemenu\
- MRU list - mrulist for items opened in start run - HKEY_USERS:.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\RUNMRU\
-----------------
Following is the latest HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:49:35 AM, on 06/16/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [systemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe
O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe
O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe
O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE
O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run
O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE
O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Startup: sfutg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html
O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
0 -
Do you know if this type of malware infects data such as MS Office files (excel, word, etc.)? You had mentioned backing up important files. Would transfering them to another computer put the other computer at risk? Thanks.
0 -
Should I install and scan Bit Defender in Safe Mode or Regular Mode? Thanks.
0 -
I need an additional report.
Could you please Open HijackThis and instead of scan choose *Open Misc. Tools Section*
Next choose *Open Uninstall Manager*
It will make a list. When it finishes, press the *save list* button. Copy the results of that report back here please.
...........................
Norton 2003 is a bit obsolete for today's malware.
If your PC meets the system requirements, please download the free edition of BitDefender8
Then get the updates for it and shuttle to the affected computer. Install the program and BOTH updates
(cumulative and the daily). Links provided below:
http://www.bitdefender.com/PRODUCT-14-en--...ee-Edition.html
System requirements:
* Pentium MMX 200 Mhz or higher processor
* Minimum 64MB of RAM Memory (128MB recommended)
* Minimum 40MB available hard disk space
Operating platform: Windows 98/NT-SP6/Me/2000/XP IE 4.0(+)
Download BitDefender8 and install
http://www.bitdefender.com/site/Download/d...oadFile/340/EN/
....................................................
Windows 98, Windows Millenium
Follow these steps to update the virus definitions:
1. Download the appropriate update (get both of these).
ftp://80.86.106.20/pub/updates/bitdefender_v8/cumulative.zip
ftp://80.86.106.20/pub/updates/bitdefender_v8/daily.zip
Save the archive to the disk instead of opening it from the web.
2. Extract the archive content.
Start with cumulative.zip when both update archives are available. Extract the content in the folder
C:Program FilesCommon FilesSoftwinBitDefender Scan ServerPlugins
and accept overwriting existing files.
3. Restart the computer.
After installing and updating do a full system scan with Bit defender and let it remove or repair any infected files found. Please make a copy of the log at the end and post the results back here.
0 -
I just sent you the HijackThis Uninstall Manager list in a PM as I would like to keep the data private. Thank you. I hope you don't mind. Thanks.
0 -
You can install and apply the updates in normal mode, but the scanning should be done in safe mode to give it the best chance of being able to delete any infected files found.
And to the other question, yes Word documents, etc. can be infected but just transferring them to store on another computer won't infect it. However, you should scan all transferred data files to be sure none are infected before opening any of them. If infected, that could launch a malware.
0 -
I tried to run BitDefender in safe mode and got the following error message:
"Failed to start the virus shield. Please launch the program again. If the problem persists, contact the developer."
However, when I installed it in normal mode, the program started scannig on its own.
Any recommendations?
0 -
Don't mind at all.
First, please go to your Control Panel and look in Add/Remove programs
Highlight each of these and press *remove* one by one.
(Those versions of Sun Java are out of date and a security vulnerability if left on your system).
Snowball Wars is a PurityScan variant and best removed via Add/Remove Program in the control Panel
Remove each of these:
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1
Java Web Start
Snowball Wars by OIN
You can get the latest up to date version of Sun Java here to replace the old vulnerable ones here:
http://www.java.com/en/download/manual.jsp
Here's why removing old versions of Sun Java is important:
Potential Vulnerability with Sun Java auto update
http://www.dslreports.com/forum/remark,14738046
After removing those programs and the BitDefender scan, and you are back in normal mode, then please scan with Hijackthis and post a fresh log. I need the HijackThis log from normal mode to see what is left
0 -
I couldn't remove the following through HijackThis:
O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run
O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run
O4 - Startup: sfutg.exe
I, however, couldn't find the following:
O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe
I did install both updates and currently running a complete scan through BitDefender in normal mode as follows:
- Local Drives
- Network Drives
- Removable Drives
- All Entries
It seems to be taking some time to scan. Will you be responding to postings over the weekend? You've just been so great and I feel hopeful because of your kind help.
0 -
In normal mode, scan with HijackThis and checkmark these entries, then press the *fix checked* button:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe
O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe
O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run
O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe
O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE
O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run
O4 - Startup: sfutg.exe
Delete these files (if found and if possible to delete)
C:\\KEYBOARD25.exe
C:\\DEFENDER26.exe
C:\WINDOWS\awisam.exe
C:\Program Files\Diwi\sjkvkiih.exe
C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE
sfutg.exe
Close HijackThis
Immediately, go ahead and run the full system scan with BitDefender in normal mode then
You were able to install both updates to the program?
0 -
I'll be here. Get a scan log from Bit Defender and post the results. After cleaning with Bit Defender, reboot your PC and scan again with Hijack and post a fresh log from it too please.
0 -
I am experiencing some problems running BitDefender in normal mode. At 63% I received an Illegal Operation Message. Since then, the scan has stopped in its tracks. So far it found 12 identified viruses. I am in communication with BitDefender's tech support about trying to run it in Safe Mode instead. They sent me the following link but it seems a bit confusing to follow. I'm not able to find the command prompt as per their instructions. The instructions says to enter the Command Prompt by clicking:
Start>All Programs>Accessories>Command Prompt.
However, after I reach Accessories I cannot locate Command Prompt. I am using Win98 SE.
In Safe Mode, they recommend to scan using the command prompt.
More information about the scan commands are available at the article:
http://kb.bitdefender.com/site/viewArticle...and_Prompt.html
Also, have you heard of AVG? A friend recommended this program.
0 -
Oh, right. This worm damages certain processes from running may be the problem.
Ok, let's try this fix, I think it works in Windows98.
Download AlcanShorty from here.
http://www.geekstogo.com/forum/index.php?a...details&f_id=13
* Click the *download* button near the bottom and agree to download the fix.
* Download Alcanshorty to your desktop.
* DoubleClick alcanshorty_en.exe and click install
* This will create a new folder on your desktop called alcanshorty_en
* Open that folder and doubleclick Run.bat
* Once the fix starts, your icons and desktop will disappear, this is normal.
Make sure you have a working internet connection. In case your firewall gives an alert, don't block it,
because alcanshorty needs to download some additional files to let the tool run properly.
* Wait for the complete script execution box to popup and press OK.
* Press exit to terminate the BFU program.
Reboot your computer, then see if Bit Defender will run in normal mode.
0 -
I was able to perform a full scan of BitDefender in normal mode afterall. I then rebooted in normal mode and ran HijackThis. Following are both logs. However, after the BitDefender scan I noticed 29 new files on my desktop. Do you know what they represent?
1 File:
x_dtrace.log
28 Files:
00F9D630_kds
00F9D050_kds
00F9D..._kds
etc..
--------------------
BitDefender Log:
//-----------------------------------------------------------------
//
// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 17/06/2006 15:11:07
//
//-----------------------------------------------------------------
Statistics
Scan path : A:\
C:\
D:\
Folders : 11544
Files : 867595
Archives : 133185
Packed files : 108036
Identified viruses : 11
Infected files : 29
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 11
Copied files : 0
Moved files : 16
Renamed files : 0
I/O errors : 4
Scan time : 07:33:08
Scan speed (files/sec) : 31
Virus definitions : 388423
Scan plugins : 13
Archive plugins : 38
Unpack plugins : 5
Mail plugins : 6
System plugins : 1
Scan options
Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email
File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user
Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report
Summary:
C:\WINDOWS\SYSTEM\dmonwv.dll Infected Trojan.Downloader.Qoologic.BC
C:\WINDOWS\SYSTEM\dmonwv.dll Disinfection failed
C:\WINDOWS\SYSTEM\dmonwv.dll Moved
C:\WINDOWS\SYSTEM\pkdsregk.exe Infected Trojan.Downloader.Agent.KK
C:\WINDOWS\SYSTEM\pkdsregk.exe Disinfection failed
C:\WINDOWS\SYSTEM\pkdsregk.exe Moved
C:\WINDOWS\bcgbkrm.exe Infected Trojan.Downloader.Qoologic.BC
C:\WINDOWS\bcgbkrm.exe Disinfection failed
C:\WINDOWS\bcgbkrm.exe Moved
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 552)=>(base64) Infected Win32.Sober.Y@mm
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 552)=>(base64) Disinfection failed
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 552)=>(base64) Move failed
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Deleted
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Deleted
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Deleted
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Deleted
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733) Update
C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Deleted
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip Update
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part) Update
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message) Update
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part) Update
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732) Update
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx Update failed
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Deleted
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip Update
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part) Update
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733) Update
C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx Update failed
C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe Infected Trojan.Downloader.Qoologic.BC
C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe Disinfection failed
C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe Moved
C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Information][From: Patrick Kariuki]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Infected JS.Kak.Gen@mm
C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Information][From: Patrick Kariuki]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Deleted
C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Information][From: Patrick Kariuki]=>(body)=>(Compressed Rtf) Update failed
C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Request][From: The Josephites Society, Iperu-Remo, Nigeria]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Infected JS.Kak.Gen@mm
C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Request][From: The Josephites Society, Iperu-Remo, Nigeria]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Deleted
C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Request][From: The Josephites Society, Iperu-Remo, Nigeria]=>(body)=>(Compressed Rtf) Update failed
C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body)=>(Compressed Rtf)=>(JAVASCRIPT 1) Infected JS.Kak.G@mm
C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body)=>(Compressed Rtf)=>(JAVASCRIPT 1) Deleted
C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body)=>(Compressed Rtf) Update
C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body) Update failed
C:\WINDOWS\qhyxy.exe Infected Trojan.Downloader.Qoologic.BC
C:\WINDOWS\qhyxy.exe Disinfection failed
C:\WINDOWS\qhyxy.exe Moved
C:\WINDOWS\awisam.exe Infected Trojan.Downloader.Qoologic.BC
C:\WINDOWS\awisam.exe Disinfection failed
C:\WINDOWS\awisam.exe Moved
C:\WINDOWS\guwwl.dat Infected Trojan.Downloader.Qoologic.BC
C:\WINDOWS\guwwl.dat Disinfection failed
C:\WINDOWS\guwwl.dat Moved
C:\WINDOWS\unwn.exe Infected Trojan.Downloader.Qoologic.BC
C:\WINDOWS\unwn.exe Disinfection failed
C:\WINDOWS\unwn.exe Moved
C:\WINDOWS\geitqux.dll Infected Trojan.Downloader.Qoologic.BJ
C:\WINDOWS\geitqux.dll Deleted
C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060615-183241-344-sfutg.exe Infected Trojan.Downloader.Qoologic.BC
C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060615-183241-344-sfutg.exe Disinfection failed
C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060615-183241-344-sfutg.exe Moved
C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181426-388-sfutg.exe Infected Trojan.Downloader.Qoologic.BC
C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181426-388-sfutg.exe Disinfection failed
C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181426-388-sfutg.exe Moved
C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181921-424-sfutg.exe Infected Trojan.Downloader.Qoologic.BC
C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181921-424-sfutg.exe Disinfection failed
C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181921-424-sfutg.exe Moved
C:\Program Files\Outlook Express Backup Wizard\Backups\OEBackup03-24-2006.oeb=>{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}/Inbox.dbx=>(message 2098)=>(base64) Infected Win32.Sober.Y@mm
C:\Program Files\Outlook Express Backup Wizard\Backups\OEBackup03-24-2006.oeb=>{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}/Inbox.dbx=>(message 2098)=>(base64) Disinfection failed
C:\Program Files\Outlook Express Backup Wizard\Backups\OEBackup03-24-2006.oeb=>{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}/Inbox.dbx=>(message 2098)=>(base64) Move failed
C:\command.exe Infected Trojan.Dropper.Delf.EV
C:\command.exe Disinfection failed
C:\command.exe Moved
C:\ZIGID003.exe Infected Trojan.Downloader.Agent.KK
C:\ZIGID003.exe Disinfection failed
C:\ZIGID003.exe Moved
C:\visfx500.exe Infected MemScan:Trojan.Dropper.Agent.AIE
C:\visfx500.exe Disinfection failed
C:\visfx500.exe Moved
C:\NNSCAA638.EXE Detected: Application.Adware.NewDotNet.B.Dropper
C:\NNSCAA638.EXE Deleted
C:\installerwnus.exe Infected Trojan.Downloader.Qoologic.BC
C:\installerwnus.exe Disinfection failed
C:\installerwnus.exe Moved
C:\526_620.exe Infected Dropped:Trojan.Clicker.VB.BX
C:\526_620.exe Disinfection failed
C:\526_620.exe Moved
---------------------------------------------------------------------
---------------------------------------------------------------------
Hijack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:33:12 PM, on 06/17/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VERITAS SOFTWARE\UPDATE MANAGER\SGTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNAGENT.EXE
C:\WINDOWS\AWISAM.EXE
C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE
C:\WINDOWS\QHYXY.EXE
C:\WINDOWS\QHYXY.EXE
C:\WINDOWS\QHYXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNEWS.EXE
C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [systemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [bDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [bitDefender Communicator] "C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe"
O4 - HKLM\..\RunServices: [bitDefender Scan Server] "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe"
O4 - HKLM\..\RunServices: [bitDefender Live! Init] "C:\Program Files\Softwin\BitDefender8\bdinit.exe"
O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run
O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE
O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Startup: sfutg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html
O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
0 -
The 29 files on the desktop is probably something BitDefender did. I'll need to take a look at them
Please make a new folder on your desktop and name it BitDefenderFiles
Drag and drop each of those 29 files into the folder.
Put the folder into a zip file.
Upload the zip folder here
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from at LS ),
fill in a short message & then press the browse button and then navigate to & select the file on your desktop named BitDefenderFiles.zip. Highlight it and press *open*. Then you will see the file name in the white box for attachments. Press the *post* button to upload the file and your message. I can get it from there.
(Do not post HJT logs there as they will not get dealt with)
You DO NOT need to be a member to upload, anybody can upload the files
You will not see the files that have been uploaded as they only show to the authorized users who can download them
..........................................................
Qoologic troan is proving to be a problem, as I expected.
Please do this next:
Try the Kaspersky free online scanner.
http://www.kaspersky.com/virusscanner
Copy the report at the end and post the results back here.
It will not remove anything found, but I just want to see the log results.
0 -
So I must connect to the internet in normal mode to perform the online kaspersky scan. Should I be taking any precautionairy measures to protect my system from further virus duplication? Also, is it safe to run an online scan? would they have access to any of my files?
0 -
I just uploaded the 29 files (BitDefenderFiles) at the link you provided. I am in the process of installing and scaning MWAV.
0 -
I really just need a log to see what is left. You can download this free tool as an alternative (it uses the kaspersky engine so should be close in results to KAV). It does not need any updates (already included)
MicroWorld AntiVirus Toolkit Utility (MWAV)
http://www.mwti.net/products/mwav/mwav.asp
(Please note that the FREE version will only scan your computer and NOT clean any infection that it finds.) <---which is OK for now, I just want to see the log. It will be rather long and probably too big to post here.
Upload a copy of the log here:
Go here to upload the log as an attachment
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from cwwllc at LS ),
fill in a short message & then press the browse button and then navigate to & select the log file on your computer, press the *Post* button to upload the file. I can collect it from there.
You DO NOT need to be a member to upload, anybody can upload the files
You will not see the files that have been uploaded as they only show to the authorized users who can download them
0 -
I got the files. All are 0 bytes and I haven't a clue why BitDefender put them on your desktop, but they don't look like anything you need to keep, so I would just delete that folder.
0 -
Ok, I figured it was the Qoo infection.
It's ok for this scan to do in normal mode only because I just need the log (and we aren't cleaning with that tool) But, I thought you said you couldn't get into safe mode? I guess you can now get into safe mode? Was the Bit Defender scan in safe mode?
0 -
MWAV is currently scanning, in normal mode (I forgot to use safe mode - I hope it won't make much of a difference). Thus far, it has found 21 critical objects of which the majority is TrojanDownloader.Win32.Qoologic.bj as follows:
TrojanDownloader.Win32.Qoologic.bj
Smitfraud Browser Hijacker
Precision Popup Spyware/Adware
I'll upload the log at the link you provided when it finishes.
0 -
I can get into Safe Mode fine. My problem was starting BitDefender in safe mode. Their support team told me that it must be started using the command prompt, which was confusing (see instructions link: http://kb.bitdefender.com/site/viewArticle...nd_Prompt.html). That is why I ran BitDefender in normal mode. The only mode I could get it to start in.
The scan is still running.
0 -
No, I can't tell from the logs we've seen.
0 -
So far, with all the logs that I've posted do you think any of my MS Office files have been corrupted/compromised? Would opening any of them infect them or compromise them, etc..
0 -
MWAV finished scanning. However, I am unable to open the log file. It is too large for Notepad and when it attempts to open it in WordPad it freezes. I'm not sure what to do next. If I click OK and close the program will it save a log onto the harddrive? I'm not sure if it does.
It found the following:
Ttl Critical Objects: 41
Ttl Errors: 67
0 -
Arrrgh, I wish I could remember with Windows98. Go ahead and click ok and see if a log was saved. If so, instead of opening try to upload to here:
http://www.thespykiller.co.uk/forum/index.php?topic=1909.0
(press reply and attach the log)
I'm feeling awful at my ineptness with Windows98 and trying to help you. I'll try to find someone who is more up to speed on Win98 than I am to step in here.
0
Please sign in to leave a comment.
Comments
74 comments