Infested, Urgent Help Please with Trojan

Unknown · June 2005

I am being bombarded with pop-ups and shortcuts appearing on my desktop because of trojan horse downloader.small.15.bs. I have run avg and adaware and need your help now. I apprecite any help you can offer me.

This is my HijackThis Log File

Logfile of HijackThis v1.99.1
Scan saved at 8:57:10 AM, on 6/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\WINDOWS\System32\Trirot.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\THKem.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Symbol Commander\Sensiva.exe
C:\WINDOWS\System32\ps1.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\mm15201518.Stub.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\qyqfdll.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\qyqfenc.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ncoifier.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system\ulfsbrp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\gbzhsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\msvsndmg.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.east.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsc1E.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [arpenyn] C:\WINDOWS\System32\arpenyn.exe
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Trirot] Trirot.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TosHKCW.exe] TosHKCW.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THKem] C:\WINDOWS\System32\THKem.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [qyqfdll] C:\WINDOWS\qyqfdll.exe
O4 - HKLM\..\Run: [qyqfenc] C:\WINDOWS\qyqfenc.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [s79j3Ee] ncoifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [dwqtROK7W] msvsndmg.exe
O4 - HKCU\..\Run: [d3dramp] C:\WINDOWS\System32\d3dramp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0774d8fa977856920b23/netzip/RdxIE601.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0006.exe
O20 - Winlogon Notify: loginkey - C:\WINDOWS\System32\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\gbzhsvc.exe

Buckeye_Sam · June 2005

Please remove this entry from Add/Remove Programs in the Control Panel(if present):

Windows AFA Internet Enhancement

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Step 1
Please download the trial version of Ewido Security Suite
Install it, and download all updates. Then exit Ewido once all updates are installed.

Step 2
Please download and install Cleanup 4.0, but do not run it yet.

Step 3
Please download the Nail/Aurora Spyware Fix from NoIdea.US. (Alternate download link: dknoppix mirror)
Unzip it to the desktop but do NOT run yet.

Step 4
Reboot your computer into Safe Mode

Step 5
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Step 6
Please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Step 7
Run CleanUp 4.0 that you installed earlier.

Step 8
Run a full scan with Ewido, remove anything found, and then restart into normal mode and post the logfile from the scan for me.

Step 9
Now open up Hijackthis. Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsc1E.dll
O4 - HKLM\..\Run: [arpenyn] C:\WINDOWS\System32\arpenyn.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [qyqfdll] C:\WINDOWS\qyqfdll.exe
O4 - HKLM\..\Run: [qyqfenc] C:\WINDOWS\qyqfenc.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [s79j3Ee] ncoifier.exe
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs.exe
O4 - HKCU\..\Run: [dwqtROK7W] msvsndmg.exe
O4 - HKCU\..\Run: [d3dramp] C:\WINDOWS\System32\d3dramp.exe
O4 - Startup: PowerReg SchedulerV2.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0774d8f...ip/RdxIE601.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0006.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\gbzhsvc.exe

Step 10
Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\gbzhsvc.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\qyqfdll.exe
C:\WINDOWS\qyqfenc.EXE
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\mm15201518.Stub.exe
C:\WINDOWS\System32\d3dramp.exe
C:\WINDOWS\System32\vbrundll.dll
C:\WINDOWS\System32\nsc1E.dll
C:\WINDOWS\System32\arpenyn.exe
C:\WINDOWS\System32\nsvsvc
C:\WINDOWS\System32\ncoifier.exe
C:\WINDOWS\System32\rasmxs.exe
C:\WINDOWS\System32\msvsndmg.exe
C:\Program Files\CxtPls

Restart your computer and please post a new HijackThis log and the Ewido log.

LeeLee · June 2005

Thank you so much for your response.

I have completed all your suggested steps and am posting the logs you requested.

Also, I am posting from a different computer as I have not permanently turned on the internet connection for the computer I am cleaning until I get the all clear from you. I had to turn it on for the instructions in Step One and that was a nightmare so unless you give me the go it will stay off till we are done.

Here is the Ewido Scan Report

ewido security suite - Scan report

+ Created on: 1:57:14 PM, 6/8/2005
+ Report-Checksum: 55C8676A

+ Date of database: 6/8/2005
+ Version of scan engine: v3.0

+ Duration: 80 min
+ Scanned Files: 51784
+ Speed: 10.70 Files/Second
+ Infected files: 19
+ Removed files: 19
+ Files put in quarantine: 19
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Program Files\CxtPls\uninstaller.exe -> Trojan.Pakes -> Cleaned with backup
C:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL -> TrojanDownloader.FunWeb.a -> Cleaned with backup
C:\WINDOWS\csmxbvchvb.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\WINDOWS\gbzhsvc.exe -> TrojanDropper.Agent.mu -> Cleaned with backup
C:\WINDOWS\mm15201518.Stub.exe -> Spyware.EZula.ah -> Cleaned with backup
C:\WINDOWS\qyqfdll.exe -> TrojanDownloader.VB.hj -> Cleaned with backup
C:\WINDOWS\qyqfenc.exe -> TrojanDownloader.VB.hj -> Cleaned with backup
C:\WINDOWS\system\icawncpfqu.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
C:\WINDOWS\system32\arpenynndw30104lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\system32\nsc1E.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsv.ocx -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\WINDOWS\system32\poker.exe -> TrojanDownloader.Agent.nj -> Cleaned with backup
C:\WINDOWS\system32\ps1.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\WINDOWS\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup

::Report End

and the Highjack This Log File

Logfile of HijackThis v1.99.1
Scan saved at 2:47:21 PM, on 6/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\WINDOWS\System32\Trirot.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\THKem.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Symbol Commander\Sensiva.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.east.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Trirot] Trirot.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TosHKCW.exe] TosHKCW.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THKem] C:\WINDOWS\System32\THKem.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: loginkey - C:\WINDOWS\System32\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

Buckeye_Sam · June 2005

Your log looks clean to me. But you were heavily infected with some nasty trojans so I would recommend one more step just be sure you're completely clean.

Please run at least two of these online scans.
Make sure they are set to clean automatically:

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.

Reboot and post a new hijackthis log and the info from your virus scans.

LeeLee · June 2005

Here is the information you requested

Panda Scan

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Fun & Games\Betting.lnk
Adware:Adware/FunWeb No disinfected C:\Program Files\FunWebProducts
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/SideFind No disinfected C:\Program Files\SideFind
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Spyware:Spyware/YourSiteBar No disinfected C:\Program Files\YourSiteBar
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick*
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Administrator\Favorites\1111\1111.url
Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks
Adware:Adware/BigTrafficNet No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Administrator\Favorites\1111\1111.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Living\Dating.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Living\Find a Degree.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Living\Find a job.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Living\Home.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Living\Insurance.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Technology\Tech & gadgets.lnk
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Administrator\SSK3_B5 Verticlick 8.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\bb_auto_wider.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\bb_click_wider.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\bb_welcome.html
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\bb_welcome1.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\icon.gif
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\logo.gif
Adware:Adware/Thecoolbar No disinfected C:\Program Files\FwBarTemp\cohelper.exe
Adware:Adware/Apropos No disinfected C:\RECYCLER\S-1-5-21-3731711434-1146017223-2240116167-500\Dc2\ProxyStub.dll
Adware:Adware/Apropos No disinfected C:\RECYCLER\S-1-5-21-3731711434-1146017223-2240116167-500\Dc2\WinGenerics.dll
Adware:Adware/ImGiant No disinfected C:\WINDOWS\myurlff.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\spaqak.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe
Virus:Trj/Downloader.BYZ Disinfected C:\WINDOWS\system32\dist001.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe

AND BitDefender Scan

C:\RECYCLER\S-1-5-21-3731711434-1146017223-2240116167-500\Dc2\atl.dll: infected with Trojan.Pakes.AF
C:\RECYCLER\S-1-5-21-3731711434-1146017223-2240116167-500\Dc2\atl.dll: disinfection failed
C:\RECYCLER\S-1-5-21-3731711434-1146017223-2240116167-500\Dc2\libexpat.dll: infected with Trojan.Pakes.AE
C:\RECYCLER\S-1-5-21-3731711434-1146017223-2240116167-500\Dc2\libexpat.dll: disinfection failed
C:\RECYCLER\S-1-5-21-3731711434-1146017223-2240116167-500\Dc2\ProxyStub.dll: infected with Trojan.Pakes.AD
C:\RECYCLER\S-1-5-21-3731711434-1146017223-2240116167-500\Dc2\ProxyStub.dll: disinfection failed
C:\RECYCLER\S-1-5-21-3731711434-1146017223-2240116167-500\Dc2\WinGenerics.dll: infected with Trojan.Pakes.AH
C:\RECYCLER\S-1-5-21-3731711434-1146017223-2240116167-500\Dc2\WinGenerics.dll: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000014.exe: infected with Dropped:Trojan.Downloader.Small.ALY
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000014.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000017.dll: infected with Trojan.Pakes.AC
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000017.dll: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000018.dll: infected with Trojan.Pakes.AJ
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000018.dll: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000019.exe: infected with Trojan.Pakes.AL
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000019.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000020.dll: infected with Trojan.Pakes.AD
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000020.dll: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000021.dll: infected with Trojan.Pakes.AE
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000021.dll: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000022.dll: infected with Trojan.Pakes.AH
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000022.dll: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000023.exe: infected with Trojan.Pakes.AG
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000023.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000024.dll: infected with Trojan.Pakes.AF
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000024.dll: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000034.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000034.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000041.exe: infected with Trojan.Betterinternet.W
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0000041.exe: deleted
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001074.exe: suspect Trojan.Downloader.Small.Gen
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001074.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001096.exe: infected with Trojan.Pakes.AL
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001096.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001097.dll: infected with Trojan.Pakes.AC
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001097.dll: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001099.dll: infected with Adware.Promulgate
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001099.dll: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001101.dll: infected with Trojan.Pakes.AJ
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001101.dll: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001104.exe: infected with Adware.Nail.A
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001104.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001105.exe: infected with Trojan.Stervis.C
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001105.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001387.exe: infected with Trojan.LowZones.AA
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001387.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001642.exe: infected with Trojan.Pakes.AG
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001642.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001643.DLL: infected with Trojan.Downloader.FunWeb.A
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001643.DLL: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001644.exe: infected with Trojan.Betterinternet.W
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001644.exe: deleted
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001646.exe: infected with Trojan.Downloader.MM.15
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001646.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001651.exe: infected with Trojan.Downloader.Apropo.AB
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001651.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001653.ocx: infected with Adware.Promulgate
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001653.ocx: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001654.exe: infected with Adware.Promulgate
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001654.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001655.exe: infected with Trojan.Downloader.Agent.NJ
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0001655.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0002690.exe: infected with Dropped:Trojan.Downloader.VB.EU
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0002690.exe: disinfection failed
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0002692.exe: infected with Dropped:Trojan.Downloader.Small.ALY
C:\System Volume Information\_restore{0282B702-8C86-44DE-89E8-73ACCFE6C3D4}\RP1\A0002692.exe: disinfection failed
C:\WINDOWS\spaqak.exe: infected with Trojan.Spybi
C:\WINDOWS\spaqak.exe: disinfection failed

AND lastly Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 12:57:13 AM, on 6/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\WINDOWS\System32\Trirot.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\THKem.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Symbol Commander\Sensiva.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 3 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.east.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Trirot] Trirot.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TosHKCW.exe] TosHKCW.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THKem] C:\WINDOWS\System32\THKem.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: loginkey - C:\WINDOWS\System32\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

Doen't look good for the home team

.

LeeLee

Buckeye_Sam · June 2005

It's not as bad as it looks.

Delete these files/folders:

C:\Program Files\FunWebProducts
C:\Program Files\AutoUpdate
C:\Program Files\SideFind
C:\Program Files\FwBarTemp
C:\Program Files\YourSiteBar
C:\Program Files\SurfSideKick*
C:\Program Files\joystick networks
C:\Program Files\CashBack
C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll
C:\Documents and Settings\Administrator\Favorites\1111
C:\Documents and Settings\Administrator\Favorites\Fun & Games
C:\Documents and Settings\Administrator\Favorites\Going Places
C:\Documents and Settings\Administrator\Favorites\Living
C:\Documents and Settings\Administrator\Favorites\Shop
C:\Documents and Settings\Administrator\Favorites\Technology
C:\Documents and Settings\Administrator\SSK3_B5 Verticlick 8.exe
C:\WINDOWS\myurlff.exe
C:\WINDOWS\spaqak.exe
C:\WINDOWS\system\QBUninstaller.exe
C:\WINDOWS\system32\dist001.exe
C:\WINDOWS\unstall.exe

Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a
restore point" and click the Next button.

Type a description for your new restore point. Something like "After
cleanup". Click Create and you're done.

Let me know how your computer is running now. Are you having any more problems?

LeeLee · June 2005

I deleted the files with the exception of one which I could not find ...

C:\WINDOWS\system32\dist001.exe

Ran several different searches to see if it was hiding out somewhere on the computer but all searches came up empty on that one.

Flushed and set the new restore point.

Things seem to be working ok ... no new desktop items and can use the internet without the major bombardment of pop-ups.

You did not say if you wanted any new online scans or a HighJack This logfile so I have not included any.

Anything else I need to do?

LeeLee

Buckeye_Sam · June 2005

Your last hijackthis log was clean. If you are not having any more problems I would say you are clean.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Infested, Urgent Help Please with Trojan

Comments