Collected.5.L AND Dropper.Agent.4.AH

Hi there. I am fighting almost the same situation, but am getting more than one Trojan reported (including Dropper.small). In our case the processes that seem to reset themselves up are "mediaacck.exe" and "mediaaccess.exe" along with a shoponline application.
Some of the behavioral issues:
- If the "Media Access" and "Shop on Line" items are deleted in the Add
and Remove Programs function, they come back uninvited,
- If Regedit is used to find remove all references to "mediaacc ", they
'pretend' to go away but if you back up and look again the item is
still there,
- The "Media Access" sub-directory does not appear in Windows under
the Program Files Directory, but if you go into command mode you can
see the directory. You cannot remove (RD) the Media Access folder but
you can enter it and delete the program files that are there. It doesn't
help as they come back after subsequent restarts.
- The above items have been done in Safe Mode, with System Restore off
and with the Computer unplugged from the DSL Modem. The system is
being scanned with Ad-Aware, Spybot S&D, A-Squared, ??shredder and
AVG AntiVirus. All are up to date.
- After everything checks out cleanly, the next time the internet is
connected and we go on-line we get AVG notices of the various Trojans,
apply the clean or remove actions, but eventually Internet Explorer fails,
Task Manager will not start, and MS Word will not start.
After running through the cycle many times I have no clear insight into what the root program is that keeps re-establishing the other programs. It seems to be a Trojan Downloader, Plug in or attachment to Internet Explorer that I can't isolate.
I have been watching the internet for solutions for the past week or so and it appears that some people have been using the fdisk, format and reload solution, which is painful to say the least.
Does anyone have a solution?

 

Welcome to WindowsBBS quest4u

I split your thread off into it's own. We can continue working on it from here.

Download HijackThis.exe from here. Save it to a permanent folder (I create a new folder in C:\ named HJT). Open and click scan, then save log. Once it is saved it will open in notepad. Select all from the edit button, copy and paste the results here. Don't fix anything with it yet!

Please download MWAV. Save it to your desktop and double click to open. Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower window labled Virus Log Information and post it here.

 

Here is Hijack This Log

Thank you NOAHDFEAR.

Attached is The HJ Log. MWAV is still running on the infected computer.

Logfile of HijackThis v1.99.1
Scan saved at 1:23:26 PM, on 15/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\veritas.exe
C:\WINDOWS\System32\gah95on6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\RunServices: [WxcConfiguration] wmon16.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] winmedia.exe
O4 - HKLM\..\RunServices: [Windows Update Monitoring Service] winupdt.exe
O4 - HKLM\..\RunServices: [Microsoft Service Pack] WindowsSP.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [AutoVirusProtection] ciscv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe "
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


MWAV is finding over 40 Items that were not found by the other Tools. Is it that superior a product?
Here are the MWAV results which I had to cut out of the detail report because I was unable to copy from the bottom frame of the MWAV window:

Sun May 15 13:25:19 2005 => File C:\WINDOWS\System32\2b3fsk0h.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
Sun May 15 13:25:19 2005 => File C:\WINDOWS\System32\2b3fsk0h.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
Sun May 15 13:25:24 2005 => File C:\WINDOWS\System32\gah95on6.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
Sun May 15 13:25:33 2005 => File C:\WINDOWS\system3Sun May 15 13:27:13 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\clientax.dll infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
2\veritas.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 13:25:33 2005 => File C:\WINDOWS\System32\gah95on6.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
Sun May 15 13:25:33 2005 => File C:\WINDOWS\system32\ciscv.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

Sun May 15 13:25:34 2005 => File C:\WINDOWS\system32\micront.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

Sun May 15 13:25:40 2005 => File System Found infected by "IBIS Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun May 15 13:25:42 2005 => File System Found infected by "ISearchTech.ISTdownloader Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun May 15 13:25:44 2005 => System found infected with WindUpdate Spyware/Adware (ide21201.vxd)! Action taken: No Action Taken.
Sun May 15 13:25:44 2005 => File System Found infected by "WindUpdate Spyware/Adware" Virus. Action Taken: No Action Taken.

Sun May 15 13:25:48 2005 => File C:\WINDOWS\u6f6uftuc.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
Sun May 15 13:25:49 2005 => File C:\WINDOWS\System32\2b3fsk0h.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
Sun May 15 13:25:57 2005 => File C:\WINDOWS\System32\bln02nqv.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
Sun May 15 13:26:06 2005 => File C:\WINDOWS\System32\dl.vbs infected by "Trojan-Downloader.VBS.Small.b" Virus. Action Taken: No Action Taken.
Sun May 15 13:26:44 2005 => File C:\WINDOWS\System32\over.exe infected by "not-a-virus:AdWare.WinFetcher.b" Virus. Action Taken: No Action Taken.
Sun May 15 13:27:01 2005 => File C:\WINDOWS\System32\TFTP3060 infected by "Backdoor.Win32.Rbot.15" Virus. Action Taken: No Action Taken.
Sun May 15 13:27:12 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\180sainstaller.exe infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 13:27:13 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\clientax.dll infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 13:27:16 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\res4.tmp infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 13:27:19 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\shop1004.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
Sun May 15 13:27:23 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\temp.fr6E6D\MediaAccC.dll infected by "not-a-virus:AdWare.WinAD.ao" Virus. Action Taken: No Action Taken.
Sun May 15 13:27:23 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\temp.fr6E6D\MediaAccC.dll infected by "not-a-virus:AdWare.WinAD.ao" Virus. Action Taken: No Action Taken.
Sun May 15 13:27:36 2005 => File C:\DOCUME~1\Terry\LOCALS~1\TEMPOR~1\Content.IE5\AXOD6Z56\origin[1].exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 13:27:47 2005 => File C:\DOCUME~1\Terry\LOCALS~1\TEMPOR~1\Content.IE5\BDFWC8NN\v4a[1].exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 13:27:54 2005 => File C:\DOCUME~1\Terry\LOCALS~1\TEMPOR~1\Content.IE5\OGJD6JJ8\MediaAccC[1].dll infected by "not-a-virus:AdWare.WinAD.ao" Virus. Action Taken: No Action Taken.
Sun May 15 13:28:03 2005 => File C:\DOCUME~1\Terry\LOCALS~1\TEMPOR~1\Content.IE5\UZ1HG6VJ\clearlog[1].rar infected by "not-a-virus:AdWare.WinAD.ai" Virus. Action Taken: No Action Taken.
Sun May 15 13:28:16 2005 => File C:\ada.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
Sun May 15 13:28:16 2005 => File C:\clearlog.exe infected by "not-a-virus:AdWare.WinAD.ai" Virus. Action Taken: No Action Taken.
Sun May 15 13:28:42 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\180sainstaller.exe infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 13:28:42 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\clientax.dll infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 13:28:44 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\res4.tmp infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 13:28:47 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\shop1004.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
Sun May 15 13:28:50 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\temp.fr6E6D\MediaAccC.dll infected by "not-a-virus:AdWare.WinAD.ao" Virus. Action Taken: No Action Taken.
Sun May 15 13:28:59 2005 => File C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\AXOD6Z56\origin[1].exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 13:29:03 2005 => File C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\BDFWC8NN\v4a[1].exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 13:29:07 2005 => File C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\OGJD6JJ8\MediaAccC[1].dll infected by "not-a-virus:AdWare.WinAD.ao" Virus. Action Taken: No Action Taken.
Sun May 15 13:29:11 2005 => File C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\UZ1HG6VJ\clearlog[1].rar infected by "not-a-virus:AdWare.WinAD.ai" Virus. Action Taken: No Action Taken.
Sun May 15 13:29:17 2005 => File C:\Documents and Settings\Terry\My Documents\cocacola.exe tagged as not-a-virus:Joke.Win32.Cocola. No Action Taken.
Sun May 15 13:29:20 2005 => File C:\Documents and Settings\Terry\over.exe infected by "not-a-virus:AdWare.WinFetcher.b" Virus. Action Taken: No Action Taken.
Sun May 15 13:29:24 2005 => File C:\har.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 13:30:11 2005 => File C:\min2.exe infected by "Trojan.Win32.LowZones.c" Virus. Action Taken: No Action Taken.
Sun May 15 14:22:23 2005 => File C:\WINDOWS\System32\2b3fsk0h.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
Sun May 15 14:22:31 2005 => File C:\WINDOWS\System32\bln02nqv.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
Sun May 15 14:22:40 2005 => File C:\WINDOWS\System32\dl.vbs infected by "Trojan-Downloader.VBS.Small.b" Virus. Action Taken: No Action Taken.
ay 15 14:23:03 2005 => File C:\WINDOWS\System32\over.exe infected by "not-a-virus:AdWare.WinFetcher.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:23:15 2005 => File C:\WINDOWS\System32\TFTP3060 infected by "Backdoor.Win32.Rbot.15" Virus. Action Taken: No Action Taken.
Sun May 15 14:23:22 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\180sainstaller.exe infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:23:22 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\clientax.dll infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:23:26 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\res4.tmp infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:23:29 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\shop1004.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
Sun May 15 14:23:33 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\temp.fr6E6D\MediaAccC.dll infected by "not-a-virus:AdWare.WinAD.ao" Virus. Action Taken: No Action Taken.
Sun May 15 14:23:47 2005 => File C:\DOCUME~1\Terry\LOCALS~1\TEMPOR~1\Content.IE5\AXOD6Z56\origin[1].exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 14:23:57 2005 => File C:\DOCUME~1\Terry\LOCALS~1\TEMPOR~1\Content.IE5\BDFWC8NN\v4a[1].exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 14:24:04 2005 => File C:\DOCUME~1\Terry\LOCALS~1\TEMPOR~1\Content.IE5\OGJD6JJ8\MediaAccC[1].dll infected by "not-a-virus:AdWare.WinAD.ao" Virus. Action Taken: No Action Taken.
Sun May 15 14:24:12 2005 => File C:\DOCUME~1\Terry\LOCALS~1\TEMPOR~1\Content.IE5\UZ1HG6VJ\clearlog[1].rar infected by "not-a-virus:AdWare.WinAD.ai" Virus. Action Taken: No Action Taken.
Sun May 15 14:24:25 2005 => File C:\ada.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
Sun May 15 14:24:25 2005 => File C:\clearlog.exe infected by "not-a-virus:AdWare.WinAD.ai" Virus. Action Taken: No Action Taken.
Sun May 15 14:24:25 2005 => File C:\clearlog.exe infected by "not-a-virus:AdWare.WinAD.ai" Virus. Action Taken: No Action Taken.
Sun May 15 14:24:51 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\180sainstaller.exe infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:24:51 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\clientax.dll infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:24:53 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\res4.tmp infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:24:56 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\shop1004.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
Sun May 15 14:24:59 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\temp.fr6E6D\MediaAccC.dll infected by "not-a-virus:AdWare.WinAD.ao" Virus. Action Taken: No Action Taken.
Sun May 15 14:25:08 2005 => File C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\AXOD6Z56\origin[1].exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 14:25:12 2005 => File C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\BDFWC8NN\v4a[1].exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 14:25:16 2005 => File C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\OGJD6JJ8\MediaAccC[1].dll infected by "not-a-virus:AdWare.WinAD.ao" Virus. Action Taken: No Action Taken.
Sun May 15 14:25:20 2005 => File C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\UZ1HG6VJ\clearlog[1].rar infected by "not-a-virus:AdWare.WinAD.ai" Virus. Action Taken: No Action Taken.
Sun May 15 14:25:26 2005 => File C:\Documents and Settings\Terry\My Documents\cocacola.exe tagged as not-a-virus:Joke.Win32.Cocola. No Action Taken.
Sun May 15 14:25:30 2005 => File C:\Documents and Settings\Terry\over.exe infected by "not-a-virus:AdWare.WinFetcher.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:25:34 2005 => File C:\har.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
Sun May 15 14:35:23 2005 => File C:\WINDOWS\system32\2b3fsk0h.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
Sun May 15 14:35:31 2005 => File C:\WINDOWS\system32\bln02nqv.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
Sun May 15 14:35:39 2005 => File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\052F05QF\over[1].exe infected by "not-a-virus:AdWare.WinFetcher.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:35:39 2005 => File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SDING9U3\hi[1].html infected by "Trojan-Clicker.JS.Linker.j" Virus. Action Taken: No Action Taken.
Sun May 15 14:35:47 2005 => File C:\WINDOWS\system32\dl.vbs infected by "Trojan-Downloader.VBS.Small.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:38:16 2005 => File C:\WINDOWS\system32\over.exe infected by "not-a-virus:AdWare.WinFetcher.b" Virus. Action Taken: No Action Taken.
Sun May 15 14:38:38 2005 => File C:\WINDOWS\system32\TFTP3060 infected by "Backdoor.Win32.Rbot.15" Virus. Action Taken: No Action Taken.
Sun May 15 14:38:58 2005 => File C:\WINDOWS\u6f6uftuc.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.

 

Please download the trial version of ewido security suite.

• Install ewido security suite and start the program from the icon on your desktop.
• The program will prompt you to update. Click the OK button
• The program will now go to the main screen
• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

Reboot your machine and post back a new HJT log and the ewido.txt log file you saved.

 

Ewido and Hijack This Logs

Here is EWIDO:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:31:29 PM, 16/05/2005
+ Report-Checksum: 41BCFF9B

+ Date of database: 16/05/2005
+ Version of scan engine: v3.0

+ Duration: 15 min
+ Scanned Files: 50031
+ Speed: 55.45 Files/Second
+ Infected files: 21
+ Removed files: 21
+ Files put in quarantine: 21
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\ada.exe -> Spyware.WinAD.ab -> Cleaned with backup
C:\clearlogs.exe -> Spyware.Winad -> Cleaned with backup
C:\Documents and Settings\Terry\Cookies\terry@ads.guardian.co[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Terry\Cookies\terry@ads.thestar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Terry\Cookies\terry@go.mailbits[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Terry\Cookies\terry@orbitz.rpts[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Terry\Cookies\terry@visit.theglobeandmail[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Terry\Local Settings\Temp\clientax.dll -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\Terry\Local Settings\Temp\res4.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\Terry\Local Settings\Temp\shop1004.exe -> Spyware.Sahat.m -> Cleaned with backup
C:\Documents and Settings\Terry\Local Settings\Temp\temp.fr6E6D\MediaAccC.dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\Documents and Settings\Terry\Local Settings\Temp\temp.frFE62 -> Spyware.IBISToolbar -> Cleaned with backup
C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\BDFWC8NN\clearlogs[1].rar -> Spyware.Winad -> Cleaned with backup
C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\OGJD6JJ8\MediaAccC[1].dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\Documents and Settings\Terry\over.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\WINDOWS\system32\2b3fsk0h.dll -> Spyware.Sahat.l -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\052F05QF\over[1].exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\WINDOWS\system32\over.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\WINDOWS\system32\TFTP3060 -> Backdoor.Rbot -> Cleaned with backup
C:\WINDOWS\u6f6uftuc.exe -> Spyware.Sahat.o -> Cleaned with backup

::Report End


AND HERE IS THE HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 8:46:30 PM, on 16/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\Terry\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [AutoVirusProtection] ciscv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe "
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Thank You!

Also - I have created a .bat file from the original NWAV log which will do file deletes on all the infected files. I have not run it yet as I will need to clean it out after the ewido cleanup.

 

Create a new folder on the desktop named HJT and move HijackThis.exe to there. Scan again, place a check next to the following entries, close all other windows and click fix. The green entries are optional.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\RunServices: [AutoVirusProtection] ciscv.exe

Reboot to safe mode and run your batch. You also need to search for a file named ICP.exe and delete it if found.

Reboot back into Windows and run another MWAV. Post the results and a new HijackThis log.

 

Tuesday Tasks

Thanks and here are the results. I did not remove the items that you said were optional in Hijack This. Perhaps I should have.

Here is the new MWAV Which Was cut and pasted to a notebook file:

----------------------------------------------------------------------
Tue May 17 20:12:39 2005 => ERROR!!! Invalid Entry \??\C:\Documents and Settings\Terry\msdirectx.sys in SYSTEM\CurrentControlSet\Services\msdirectx...
Tue May 17 20:12:42 2005 => Scanning File C:\WINDOWS\system32\JAVASUP.VXD
Tue May 17 20:12:49 2005 => System found infected with IBIS Spyware/Adware ({fb45c451-b0e9-4407-bb6a-9361013f3e9a})! Action taken: No Action Taken.
Tue May 17 20:12:49 2005 => File System Found infected by "IBIS Spyware/Adware" Virus. Action Taken: No Action Taken.
Tue May 17 20:12:51 2005 => Offending Folder C:\DOCUME~1\Terry\FAVORI~1\Living present...
Tue May 17 20:12:51 2005 => System found infected with ISearchTech.ISTdownloader Spyware/Adware! Action taken: No Action Taken.
Tue May 17 20:12:51 2005 => File System Found infected by "ISearchTech.ISTdownloader Spyware/Adware" Virus. Action Taken: No Action Taken.

Tue May 17 20:13:13 2005 => Scanning File C:\WINDOWS\System32\cmd.ftp
Tue May 17 20:13:13 2005 => File C:\WINDOWS\System32\cmd.ftp infected by "Trojan-Downloader.BAT.Ftp.r" Virus. Action Taken: No Action Taken.
Tue May 17 20:13:35 2005 => Scanning File C:\WINDOWS\System32\irun4.exeopen
Tue May 17 20:13:35 2005 => File C:\WINDOWS\System32\irun4.exeopen infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
Tue May 17 20:14:00 2005 => Scanning File C:\WINDOWS\System32\o
Tue May 17 20:14:00 2005 => File C:\WINDOWS\System32\o infected by "Trojan-Downloader.BAT.Ftp.ab" Virus. Action Taken: No Action Taken.
Tue May 17 20:14:32 2005 => Scanning File C:\DOCUME~1\Terry\LOCALS~1\Temp\180SAAX.cab
Tue May 17 20:14:32 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\180SAAX.cab infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Tue May 17 20:14:51 2005 => Scanning File C:\DOCUME~1\Terry\LOCALS~1\Temp\temp.fr3880
Tue May 17 20:14:51 2005 => File C:\DOCUME~1\Terry\LOCALS~1\Temp\temp.fr3880 infected by "not-a-virus:AdWare.WebSearch.f" Virus. Action Taken: No Action Taken.
Tue May 17 20:15:20 2005 => Scanning File C:\DOCUME~1\Terry\LOCALS~1\TEMPOR~1\Content.IE5\AXOD6Z56\tb3[1].cab
Tue May 17 20:15:20 2005 => File C:\DOCUME~1\Terry\LOCALS~1\TEMPOR~1\Content.IE5\AXOD6Z56\tb3[1].cab infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
Tue May 17 20:17:14 2005 => Scanning File C:\Documents and Settings\Terry\Local Settings\Temp\180SAAX.cab
Tue May 17 20:17:14 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\180SAAX.cab infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.
Tue May 17 20:17:29 2005 => Scanning File C:\Documents and Settings\Terry\Local Settings\Temp\temp.fr3880
Tue May 17 20:17:29 2005 => File C:\Documents and Settings\Terry\Local Settings\Temp\temp.fr3880 infected by "not-a-virus:AdWare.WebSearch.f" Virus. Action Taken: No Action Taken.
Tue May 17 20:17:53 2005 => Scanning File C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\AXOD6Z56\tb3[1].cab
Tue May 17 20:17:53 2005 => File C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\AXOD6Z56\tb3[1].cab infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
Tue May 17 20:18:43 2005 => Scanning File C:\hiberfil.sys
Tue May 17 20:18:43 2005 => Result: ERROR!!! File C:\hiberfil.sys: Scanning Failure!!!
Tue May 17 20:18:43 2005 => ERROR!!! ScanFile fails for C:\hiberfil.sys
Tue May 17 20:18:43 2005 => Scanning Folder: C:\HijackThis\*.*
Tue May 17 20:18:43 2005 => Scanning File C:\HijackThis\HijackThis.exe
Tue May 17 20:18:44 2005 => Scanning File C:\HijackThis\hijackthis.log
Tue May 17 20:24:42 2005 => Scanning File C:\min2.Vexe
Tue May 17 20:24:42 2005 => File C:\min2.Vexe infected by "Trojan.Win32.LowZones.c" Virus. Action Taken: No Action Taken.
Tue May 17 20:24:43 2005 => Scanning File C:\pagefile.sys
Tue May 17 20:24:43 2005 => Result: ERROR!!! File C:\pagefile.sys: Scanning Failure!!!
Tue May 17 20:24:43 2005 => ERROR!!! ScanFile fails for C:\pagefile.sys
Tue May 17 20:42:49 2005 => Scanning File C:\WINDOWS\system32\cmd.ftp
Tue May 17 20:42:49 2005 => File C:\WINDOWS\system32\cmd.ftp infected by "Trojan-Downloader.BAT.Ftp.r" Virus. Action Taken: No Action Taken.
Tue May 17 20:45:08 2005 => Scanning File C:\WINDOWS\system32\irun4.exeopen
Tue May 17 20:45:08 2005 => File C:\WINDOWS\system32\irun4.exeopen infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
Tue May 17 20:45:47 2005 => Scanning File C:\WINDOWS\system32\o
Tue May 17 20:45:48 2005 => File C:\WINDOWS\system32\o infected by "Trojan-Downloader.BAT.Ftp.ab" Virus. Action Taken: No Action Taken.


Tue May 17 20:46:49 2005 => Total Objects Scanned: 44429
Tue May 17 20:46:49 2005 => Total Virus(es) Found: 19
Tue May 17 20:46:49 2005 => Total Disinfected Files: 0
Tue May 17 20:46:49 2005 => Total Files Renamed: 0
Tue May 17 20:46:49 2005 => Total Deleted Objects: 0
Tue May 17 20:46:49 2005 => Total Errors: 46
Tue May 17 20:46:49 2005 => Time Elapsed: 00:34:28
Tue May 17 20:46:49 2005 => Virus Database Date: 2005/05/12
Tue May 17 20:46:49 2005 => Virus Database Count: 129400

Tue May 17 20:46:49 2005 => Scan Completed.

--------------------------------------------------------------------------
And here is the HIJACK THIS! result:

Logfile of HijackThis v1.99.1
Scan saved at 9:42:32 PM, on 17/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Terry\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe "
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

You will note that I have tried the Ewido and Nod32 Trial scans. They do not find as many items as MWAV. Would MWAV be able to Clean all the items it has found?

Thank you.

 

Quest4u follow up

Hello noahdfear and THANK YOU!

Subsequent to the above posting, I downloaded a couple of other trial spyware/malware scanners. I also manually deleted the last few items and have reached the point where the only thing now identified by MWAV are the 2 file system infection comments. They are the "IBIS Spyware/Adware" and
"ISearchTech.ISTdownloader Spyware/Adware" items.

Is ther any way that these can be removed?

Thank You.

 

You're most welcome.

Post the complete findings of MWAV please.

You are very behind on Windows Updates. That leaves your computer exposed to many vulnerabilities that Microsoft has issued patches for. Now that your system is clean (almost ), I recommend first clear all past System Restore points, since there's a good chance one or more are infected. Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Reboot and turn it back on. Then, click Start>All Programs>Windows Update and accept all critical updates offered (Express Install). Reboot when prompted and go back for more, until no more are offered.

Also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it (always recheck this setting after downloading updates). Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly and watch for any protection being disabled. Then, still in Spybot, click the tools button, then IE tweaks and at least lock the HOSTS file.
Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

 

Almost there!

Hi noahdfear:

Have completed the last items you suggested with the following exceptions:
1. In Spybot I was unable to lock the Hosts file because it was grayed out.
2. How do I post the complete findings of MWAV? Do you want to see the entire humongous log file? I am unable to copy the lower window using the normal copy & paste process.

Thanks again

 

Try clicking in the lower MWAV window and then pressing Ctrl+A to select all, then Ctrl+C to copy, open a reply window here and press Ctrl+V to paste. If it still won't work, do the scan results contain a high number of files found in system_volume_information? If so, those are restore points and I don't need to see them. We will purge those when we're sure your computer is clean and operating properly. Does it contain a large number of invalid registy entries? Don't need to see them either, but let me know if the answer is yes to each.