J. Script Script-- Possibly a virus

Unknown · July 2005

Hey guys-

I've got 7 "J. Script Script" files their own respective folders. The name of all the files are util_OWA20[1]. I do have a very old version of Command Antivirus and Command's real time virus scanner DVP. DVP from time to time notices the file and the following pop appears:

"C:\Documents and Settings\alexr\Local Settings\Temporary Internet Files\Content.IE5\TUCR8AQK\util_OWA20[1].js could be a mass-mailing worm
Action: Infection reported C:\Documents and Settings\alexr\Local Settings\Temporary Internet Files\Content.IE5"

When I attempt to delete the folders are the files themselves another pop-up appears and notes that Access is denied as the file may be in use.
I have downloaded and am running Atvast home edition, Spybot, Adware, and Spyware Blaster. None of these programs notice these J.Script Script files.

Another thing to note the minute I double click or try to repeatedly delete the files the computer gets immediately bluescreened and is rebooted. Then proceeds to run a scandisk procedure. When the computer comes to everything is OK. I should also mention that the use Mozilla Firefox and this performs alot better in regards to loading pages than Internet Explorer.

Are J. Script Script files viruses? How can I remove these files?

Any suggestions, knowledge, or experience with these types of files is appreciated!!!

In any event here is my HIjack This log....

Logfile of HijackThis v1.99.1
Scan saved at 21:40:36, on 26/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\css-avs.exe
C:\Program Files\Common Files\Command Software Shared\Communication\css_1630.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\dvprpt.exe
C:\Program Files\Philips\External Drive\Blue Button\bbSysTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\dvpapi.exe
C:\WINNT\system32\alq.exe
C:\WINNT\system32\LVComS.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes4.9\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Dvprpt] C:\Program Files\Common Files\Command Software Shared\Scanner\dvprpt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [bbSysTray] C:\Program Files\Philips\External Drive\Blue Button\bbSysTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IRC Client] updated.exe
O4 - HKLM\..\Run: [Alogrithm Link Queue] alq.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINNT\system32\LVComS.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes4.9\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [IRC Client] updated.exe
O4 - HKLM\..\RunServices: [Alogrithm Link Queue] alq.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - Global Startup: Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2E873621-4130-11D4-8EC3-00600811E753} (Quotes Control) - https://www.enrononline.com/jsp/activex/EnronOnlineQuotes.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F77A997-F0F3-11d1-9195-00C04FC990DC} -
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4333/mcfscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CSS AV Scheduler - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Scanner\css-avs.exe
O23 - Service: CSS Communication Agent (CSS_1630) - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Communication\css_1630.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Scanner\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

Thanks,
LexLuther

SpywareShooter · July 2005

JScript files (usually .js) are not viruses, but can be part of one.

O4 - HKLM\..\Run: [IRC Client] updated.exe
O4 - HKLM\..\Run: [Alogrithm Link Queue] alq.exe
O4 - HKLM\..\RunServices: [IRC Client] updated.exe
O4 - HKLM\..\RunServices: [Alogrithm Link Queue] alq.exe
O4 - HKCU\..\Run: [IRC Client] updated.exe

Fix those entries then find and delete the following files:
C:\WINNT\system32\alq.exe
updated.exe

Then reboot your computer and post a new log.

Lex · July 2005

Hey thanks for responding. I fixed the files you advised using HiJack this and deltedt the C:\WINNT\system32\alq.exe but could not find the updated.exe file. Where is the updated.exe located?

Thanks again for helping!

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\css-avs.exe
C:\Program Files\Common Files\Command Software Shared\Communication\css_1630.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\dvprpt.exe
C:\Program Files\Philips\External Drive\Blue Button\bbSysTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\LVComS.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes4.9\iTunesHelper.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\Program Files\Common Files\Command Software Shared\Scanner\dvpapi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Dvprpt] C:\Program Files\Common Files\Command Software Shared\Scanner\dvprpt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [bbSysTray] C:\Program Files\Philips\External Drive\Blue Button\bbSysTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\WINNT\system32\LVComS.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes4.9\iTunesHelper.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2E873621-4130-11D4-8EC3-00600811E753} (Quotes Control) - https://www.enrononline.com/jsp/activex/EnronOnlineQuotes.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F77A997-F0F3-11d1-9195-00C04FC990DC} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4333/mcfscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CSS AV Scheduler - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Scanner\css-avs.exe
O23 - Service: CSS Communication Agent (CSS_1630) - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Communication\css_1630.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Scanner\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

SpywareShooter · August 2005

Run a [link=http://pandasoftware.com/activescan/]Free Panda Online Virus Scan[/link]. There may be some files that it cannot remove. Please post the log of those files here.

Lex · August 2005

Done. Here it is:

Incident Status Location

Adware:adware/cws No disinfected Windows Registry
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20050724-145336.backup
Dialer:Dialer.Gen No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\dia2.exe
Virus:Trj/Qhost.gen Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\169.tmp
Virus:Trj/Qhost.gen Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\16A.tmp
Virus:W32/Sdbot.DUY.worm Disinfected C:\Recycled\Dc10.exe

SpywareShooter · August 2005

Boot into Safe Mode (press F8 at the BIOS screen when booting) and delete this file:
C:\Documents and Settings\Administrator\Local Settings\Temp\dia2.exe

The boot back into Normal Mode and post a new log.

Lex · August 2005

Done and it was deleted without any problem.

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\css-avs.exe
C:\Program Files\Common Files\Command Software Shared\Communication\css_1630.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\dvprpt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Philips\External Drive\Blue Button\bbSysTray.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\dvpapi.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\LVComS.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashAvast.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Dvprpt] C:\Program Files\Common Files\Command Software Shared\Scanner\dvprpt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [bbSysTray] C:\Program Files\Philips\External Drive\Blue Button\bbSysTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\WINNT\system32\LVComS.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes4.9\iTunesHelper.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2E873621-4130-11D4-8EC3-00600811E753} (Quotes Control) - https://www.enrononline.com/jsp/activex/EnronOnlineQuotes.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9F77A997-F0F3-11d1-9195-00C04FC990DC} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4333/mcfscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CSS AV Scheduler - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Scanner\css-avs.exe
O23 - Service: CSS Communication Agent (CSS_1630) - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Communication\css_1630.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Scanner\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

Thanks!!!

SpywareShooter · August 2005

Your HJT log looks allright. Can you post a Panda log?

Lex · August 2005

C:\Documents and Settings\alexr\Local Settings\Temporary Internet Files\Content.IE5\TUCR8AQK\util_OWA20[1].js could be a mass-mailing worm
Action: Infection reported

I am still receiveing this error from DVP during the Panda Scan process,
X 4 for every util_OWA20 file in the pathway named. The J.Script files are still in the above folder and cause my computer to reboot.

Here is my Panda Scan report:

Incident Status Location

Adware:adware/cws No disinfected Windows Registry
Possible Virus. No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\dia4.exe

Here is the latest hijack this report just in case something has changed...
Logfile of HijackThis v1.99.1
Scan saved at 18:58:53, on 20/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\css-avs.exe
C:\Program Files\Common Files\Command Software Shared\Communication\css_1630.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\dvprpt.exe
C:\Program Files\Philips\External Drive\Blue Button\bbSysTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Command Software Shared\Scanner\dvpapi.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINNT\system32\LVComS.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Dvprpt] C:\Program Files\Common Files\Command Software Shared\Scanner\dvprpt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [bbSysTray] C:\Program Files\Philips\External Drive\Blue Button\bbSysTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\WINNT\system32\LVComS.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes4.9\iTunesHelper.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2E873621-4130-11D4-8EC3-00600811E753} (Quotes Control) - https://www.enrononline.com/jsp/activex/EnronOnlineQuotes.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124557102482
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9F77A997-F0F3-11d1-9195-00C04FC990DC} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4333/mcfscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CSS AV Scheduler - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Scanner\css-avs.exe
O23 - Service: CSS Communication Agent (CSS_1630) - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Communication\css_1630.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Command Software Shared\Scanner\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

Sorry about the delay in my responses. I travel quite a bit for work and findd myself away from the computer. Please know that I appreciate your help and really want to figure out this problem. THANKS!!

Lex

SpywareShooter · August 2005

You are safe to delete every file from the folder that you listed the javascript files were in.

Boot into Safe Mode (press F8 at the BIOS screen when booting) and delete this file:
C:\Documents and Settings\Administrator\Local Settings\Temp\dia4.exe

Then reboot and post a new Panda log.

J. Script Script-- Possibly a virus

Comments