Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Again!!!.. and again... and again...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Ryuji35 » April 16th, 2006, 11:14 am

(MS03-007) Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)




Vulnerability Identifier: CAN-2003-0109
Discovery Date: Mar 17, 2003
Risk: Highly Critical
Vulnerability Assessment Pattern File: 008
Related Malware: AGOBOT FAMILY, BKDR_RBOT.B, BKDR_SDBOT.CC, TROJ_KAHT.A, TROJ_ROLARK.A, TROJ_WCOT.A, WORM_GAOBOT.AC, WORM_KIBUV.B, WORM_MUMU.C, WORM_NACHI.A, WORM_NACHI.B, WORM_NACHI.C, WORM_NACHI.D, WORM_NACHI.F, WORM_NACHI.G, WORM_NACHI.I, WORM_NACHI.K, WORM_RBOT.AA, WORM_RBOT.AB, WORM_RBOT.AE, WORM_RBOT.AF, WORM_RBOT.AJ, WORM_RBOT.BZ, WORM_RBOT.CC, WORM_RBOT.EM, WORM_RBOT.R, WORM_RBOT.TW, WORM_RBOT.W, WORM_RBOT.WU, WORM_RBOT.ZA, WORM_SDBOT.BV, WORM_SDBOT.CC, WORM_SDBOT.DZ, WORM_SDBOT.FB, WORM_SDBOT.FC, WORM_SDBOT.FD, WORM_SDBOT.FE, WORM_SDBOT.FQ, WORM_SDBOT.G, WORM_SDBOT.GO, WORM_SDBOT.IG, WORM_SDBOT.IY, WORM_SDBOT.JG, WORM_SDBOT.JS, WORM_SDBOT.JT, WORM_SDBOT.JY, WORM_SDBOT.K, WORM_SDBOT.KY, WORM_SDBOT.M, WORM_SDBOT.MD, WORM_SDBOT.MG, WORM_SDBOT.MH, WORM_SDBOT.PF, WORM_SDBOT.WY, WORM_SDBOT.ZY, WORM_SPYBOT.AP, WORM_SPYBOT.CG, WORM_SPYBOTER.CY, WORM_SPYBOTER.CZ
Affected Software:
Microsoft Windows 2000
Microsoft Windows NT 4.0
Microsoft Windows NT Server 4.0 Terminal Server Edition
Microsoft Windows XP

Description:


This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP.

The World Wide Web Distributed Authoring and Versioning (WebDAV) is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet.

A vulnerability exists in an unchecked buffer in the Windows file, NTDLL.DLL. This file is involved in processing parameters coming from HTTP WebDAV requests.

Exploit Details

IMPORTANT: Users of Trend Micro PC-cillin Internet Security and Network VirusWall can protect their systems from any potential virus threats that use this exploit. Network Virus Pattern (NVP) 10118, or later, can detect this exploit at the network layer as MS03-007_WEBDAV_EXPLOIT.

This WebDAV vulnerability can be exploited by using it as an attack vector. This attack is composed of a very long parameter supplied to the WebDAV component. Due to improper bounds checking within NTDLL.DLL, this will result to a buffer overflow.

The said overflow can cause the server to crash, resulting to a denial of service. Furthermore, the attack could be crafted in such a way that an arbitrary code will be executed. The code would run with the same privilege as that of the IIS Service (i.e., Local System Privilege), allowing the attacker to perform almost anything on the compromised machine such as creating, deleting or editing files and registry entries.


Patch Information:


The patch released for these vulnerabilities cover highly critical security holes. It should be applied immediately. Access the patch and additional information in the following Microsoft page: http://www.microsoft.com/technet/securi ... 3-007.mspx


Workaround Fixes:



Network VirusWall protects customers against threats related to this vulnerability by:



Isolating machines that have not yet applied the MS03-007 security update through Vulnerability Assessment Rule 008.

Detecting malicious packets at the network layer. Network Virus Pattern (NVP) 10118 enables Network VirusWall to detect and then drop exploit packets at network layer.
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia
Advertisement
Register to Remove

Unread postby Ryuji35 » April 16th, 2006, 11:15 am

(MS03-014) Cumulative Patch for Outlook Express (330994)




Vulnerability Identifier: CAN-2002-0980
Discovery Date: Apr 23, 2003
Risk: Highly Critical
Vulnerability Assessment Pattern File: 008
Related Malware: BKDR_LORRAC.A, JS_CBASE.EXP1, JS_SEFEX.A, WORM_CASPID.A, WORM_CASPID.B, WORM_DARBY.C, WORM_DARBY.D, WORM_LORAC.A, WORM_MIMAIL.A, WORM_MIMAIL.D, WORM_BUGBEAR.C
Affected Software:
Microsoft Outlook Express 5.5
Microsoft Outlook Express 6.0

Description:

This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer.
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby Ryuji35 » April 16th, 2006, 11:16 am

(MS03-023) Buffer Overrun In HTML Converter Could Allow Code Execution (823559)




Vulnerability Identifier: CAN-2003-0469
Discovery Date: Jul 9, 2003
Risk: Critical
Vulnerability Assessment Pattern File: 008
Affected Software:
Microsoft Windows 2000
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0 Terminal Server Edition
Microsoft Windows NT Workstation 4.0
Microsoft Windows Server 2003
Microsoft Windows XP

Description:


This vulnerability enables a remote attacker to cause a denial of service and execute arbitrary code through a specially formed web page or HTML e-mail. This is caused by a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation.
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby Ryuji35 » April 16th, 2006, 11:17 am

(MS03-041) Vulnerability in Authenticode Verification Could Allow Remote Code Execution




Vulnerability Identifier: CAN-2003-0660
Discovery Date: Oct 15, 2003
Risk: Critical
Vulnerability Assessment Pattern File: 015
Affected Software:
Microsoft Windows 2000 Service Pack 2
Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows NT Workstation 4.0 Service Pack 6a
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP 64-Bit Edition
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Gold Service Pack 1

Description:


This vulnerability in Authenticode is present only under certain low memory conditions. It allows the download and installation of ActiveX controls without prior user approval. It also allows the installed ActiveX control to run with the same privileges as the user.

This vulnerability can be exploited through specially crafted Web pages or HTML email messages.

Additional information on this vulnerability is available at Microsoft Security Bulletin MS03-041.


Patch Information:

Apply the appropriate patches for the following affected software:
Microsoft Windows NT Workstation 4.0, Service Pack 6a - Download patch
Microsoft Windows NT Server 4.0, Service Pack 6a - Download patch
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 - Download patch
Microsoft Windows 2000, Service Pack 2 - Download patch
Microsoft Windows 2000, Service Pack 3, Service Pack 4 - Download patch
Microsoft Windows XP Gold, Service Pack 1 - Download patch
Microsoft Windows XP 64-bit Edition - Download patch
Microsoft Windows XP 64-bit Edition Version 2003 - Download patch
Microsoft Windows Server 2003 - Download patch
Microsoft Windows Server 2003 64-bit Edition - Down
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby Ryuji35 » April 16th, 2006, 11:18 am

Home > Security Advisories > (MS03-043) Buffer Overrun in Messenger Service Could Allow Code Execution (828035)




(MS03-043) Buffer Overrun in Messenger Service Could Allow Code Execution (828035)




Vulnerability Identifier: CAN-2003-0717
Discovery Date: Oct 15, 2003
Risk: Critical
Vulnerability Assessment Pattern File: 016
Related Malware: WORM_KIBUV.B
Affected Software:
Microsoft Windows 2000 Service Pack 2
Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows NT Workstation 4.0 Service Pack 6a
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP 64-Bit Edition
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Gold Service Pack 1

Description:


This vulnerability may allow remote attackers to execute arbitrary code on vulnerable systems, granting these malicious users administrator privileges. It involves the inability of the Messenger Service to properly validate the length of a sent message before it is passed to the allocated buffer, thereby facilitating the rapid spread of such worms as MS Blast/Blaster, Nachi, SQL Slammer, and Randex.

The Messenger Service can be reached via MS RPC (Microsoft Remote Procedure Call), similar to the DCOM RPC vulnerability. However, while the DCOM service cannot be safely removed from the infected system, users can easily disable the Messenger Service to protect themselves from the MESSENGER_SERVICE_BUFFER_OVERRUN vulnerability. It is also notable that while the Messenger Service runs over MS RPC, it can also run over SMB (Server Message Block).

Server Message Block (SMB) can be used on networks using non-Internet protocols (e.g. Novell IPX/SPX, DECnet, Banyan Vines, and NetBEUI). Since these non-Internet protocols are not typically controlled by firewalls, exploit tools or worms can easily reach companies and individuals that use these protocols.

The MS RPC interface to the Messenger Service also runs on ports typically used for MS RPC traffic, mainly over UDP port 135 and opens a dynamic port above UDP port 1024. The use of this UDP port emphasizes this vulnerability's intent to use broadcast system messages.

Additional information on this vulnerability is available at Microsoft Security Bulletin MS03-043.


Patch Information:


Links to patches for this vulnerability are also available at Microsoft Security Bulletin MS03-043.

Microsoft Windows NT Workstation 4.0, Service Pack 6a
http://www.microsoft.com/downloads/deta ... laylang=en
Microsoft Windows NT Server 4.0, Service Pack 6a
http://www.microsoft.com/downloads/deta ... laylang=en
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
http://www.microsoft.com/downloads/deta ... laylang=en
Microsoft Windows 2000, Service Pack 2
http://www.microsoft.com/downloads/deta ... laylang=en
Microsoft Windows 2000, Service Pack 3,
Microsoft Windows 2000, Service Pack 4
http://www.microsoft.com/downloads/deta ... laylang=en
Microsoft Windows XP Gold, Service Pack 1
http://www.microsoft.com/downloads/deta ... laylang=en
Microsoft Windows XP 64-bit Edition
http://www.microsoft.com/downloads/deta ... laylang=en
Microsoft Windows XP 64-bit Edition Version 2003
http://www.microsoft.com/downloads/deta ... laylang=en
Microsoft Windows Server 2003 http://www.microsoft.com/downloads/deta ... laylang=en
Microsoft Windows Server 2003 64-bit Edition http://www.microsoft.com/downloads/deta ... laylang=en


Workaround Fixes:


If the Messenger service is not needed, disable it to prevent the possibility of an attack.
Block RPC port 135 (epmap TCP/UDP), and NetBIOS ports 137-139 (TCP/UDP) using a firewall. This prevents the sending of data from external sources to protected systems.
In most cases, the Messenger Service can be safely disabled. To disable the Messenger Service, follow the instructions below:

Click the Start Menu, and then choose Control Panel.
Double-click the Performance and Maintenance menu, or the Administrative Tools menu (depending on the operating system used).
Double-click the System menu or the Services icon. Windows will present a list of system services.
Scroll down to the service named Messenger. Right-click this service and select Properties from the pop-up menu.
Use the dialog box next to Startup Type, select Disabled.
Under the Service Status sub-menu, click the button labeled, Stop.
Click the Apply and OK buttons. The service should now be stopped and disabled.
The following typical Microsoft networking ports should be blocked as strictly as possible by firewalls:

135/TCP MS-RPC connection-oriented
135/UDP MS-RPC datagrams
137/ UDP NetBIOS name resolution
138/ UDP NetBIOS/SMB datagrams
139/ TCP NetBIOS/SMB connection-oriented
445/ TCP SMB connection-oriented
445/ UDP SMB datagrams
Ensure that ports associated with Messenger Service are blocked.
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby Ryuji35 » April 16th, 2006, 11:19 am

MS04-13

>> An Error occured when retrieving the information about this vulnerability. There is currently no information at all
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby Ryuji35 » April 16th, 2006, 11:20 am

(MS04-015) Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)




Vulnerability Identifier: CAN-2004-0199
Discovery Date: May 11, 2004
Risk: Important
Vulnerability Assessment Pattern File: 012
Affected Software:
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1

Description:


This vulnerability in the Help and Support Center (HCP) allows remote code execution. It exists due to the process by which HCP handles URL validation.

This vulnerability could enable an attacker to remotely execute code of choice with Local System privileges through the use of a specially crafted HCP URL. It facilitates remote code execution whenever users visit a malicious Web site or views an email message that contains the specially crafted HCP URL. Note that user interaction is necessary to exploit this vulnerability.

This vulnerability allows an attacker to take complete control of the affected system and perform the following:

Run programs
View/modify/delete data
Create new accounts with full privileges
Operating systems affected by this vulnerability are Windows XP and Windows Server 2003 since they contain the affected version of the Help and Support System.

This vulnerability is discussed in detail in the following Microsoft page:

Microsoft Security Bulletin MS04-015

Workaround Fixes:




If the Help and Support Center protocol (HCP) is not used, you can manually delete the protocol association by deleting the registry key HKCR\HCP. To do so, please perform the following:

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_CLASSES_ROOT
Highlight the HCP key in the left panel.
Right-click the HCP key, and then click Delete.
In the Confirm Key Delete dialog box, click the Yes button.
Close Registry Editor.
Warning: Deleting the HCP protocol association registry keys will break all local help links that use hcp://. For example, links in Control Panel may no longer work.


If you are using Microsoft Outlook 2001 SP1 or earlier, install the Outlook E-mail security update.
The Outlook Email Security Update can block access to certain file types that could spread dangerous code, whether you use Outlook 2001 SP1, Outlook 2000 or Outlook 98.

Outlook Express 6, Outlook 2002 and Outlook 2003 already have this type of protection. By default, they open HTML email messages in the Restricted sites zone.

More information about the Outlook Email security update is available at:


http://www.microsoft.com/office/previou ... curity.asp

If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read email messages in plain text format to help protect yourself from the HTML email attack vector.
Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-digitally-signed or non-encrypted email messages in plain text only.

Digitally-signed and encrypted email messages are not affected by the setting and may be read in their original formats. Information about how to enable this setting in Outlook 2002 can be found in the following Knowledge Base article:


http://support.microsoft.com/default.as ... -us;307594
Information about how to enable this setting in Outlook Express 6.0 can be found in the following Knowledge Base article:


http://support.microsoft.com/?kbid=291387
Impact of Workaround

Email viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. Additionally:


The changes are applied to the preview pane and to open messages.
Pictures become attachments to avoid loss of message content.
Because the message is still in Rich Text Format or in HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text Format or in HTML format in the mail store.
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby Ryuji35 » April 16th, 2006, 11:20 am

(MS04-018) Cumulative Security Update for Outlook Express (823353)




Vulnerability Identifier: CAN-2004-0215
Discovery Date: Jul 13, 2004
Risk: Moderate
Vulnerability Assessment Pattern File: 015
Affected Software:
Microsoft Access 2002
Microsoft Outlook Express 5.5 Service Pack 2
Microsoft Outlook Express 6.0
Microsoft Outlook Express 6.0 Service Pack 1
Microsoft Outlook Express 6.0 Service Pack 1 (Microsoft Windows XP 64-Bit Edition)
Microsoft Windows 2000 Service Pack 2
Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows NT Workstation 4.0 Service Pack 6a
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1

Description:


A specially crafted email message containing malformed email headers could cause Outlook Express to fail.

The email headers contain information such as the sender’s email address, the recipient’s e-mail addresses, the time that the email message was sent, and the name of the mail server that received the said message.

These fields can be exploited in such a way that it may contain very long field values.

For more information on the vulnerability and the security patch, visit the following Web site:


http://www.microsoft.com/technet/securi ... 4-018.mspx


Patch Information:


Trend Micro advises users to install the Microsoft fix patch immediately. Visit the following Web site for the latest information and the security patch:


http://www.microsoft.com/technet/securi ... 4-018.mspx
User may also access Windows Update to ensure that their Windows systems have all critical patches installed.


Workaround Fixes:


Disabling the preview pane

You can disable the preview pane without starting Outlook Express by changing the DWORD value of the ShowHybridView entry to 0:

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Identities>%Identity%>Software>
Microsoft>Outlook Express>5.0>Mail
(Note: %Identity% refers to the ID of the currently logged on user.)
In the right panel, locate entry:
ShowHybridView
Modify the DWORD value of this entry to 0.
Close Registry Editor.
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby agrarianmonk » April 16th, 2006, 2:33 pm

Hi,

Did you write down the location of the file Trend Micro couldn't disinfect?

If you have the information, please post it in your next reply.

Thanks,
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Ryuji35 » April 17th, 2006, 3:43 am

it did not say anything. Just that Virus and its description :(
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby agrarianmonk » April 17th, 2006, 12:08 pm

Ok, let's make sure Active X is enabled and let's try another online scan. I really need to know where that infected file is:

Enabling Active X for Microsoft Internet Explorer 6.0

1. Click Internet to display the settings for the Internet Zone.
2. Click the radio button to select Custom (for expert users).
3. Click the Settings button to open the Security Settings window.
4. Scroll to the Active X controls and plug-ins and verify that the options are set to Enable or Prompt.
5. Scroll to the Scripting Section and verify that Active Scripting is set to Enable or Prompt.
Note: Clicking a checked box removes the checkmark and disables the feature.
If you see checkmarks in the Enable or Prompt boxes, do not click on the checked boxes.
6. Click OK to close the Security Settings window.
7. Click OK to close the Internet Options window.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Ryuji35 » April 18th, 2006, 9:42 am

Hi,

sorry if I didn't reply for 2 days. Kaspersky still didn't work even though my ActiveX are enabled. I have downloaded the Latest Java Apps but nothing.

And then, I have a question. My DSL Connection is slowing. Is it a work of a Virus? because I called my ISP Provider and they said to me that everything was ok. Yes, it really is OKay. But everytime I download files(example is when I download the JAVA Apps) the connection rate becomes 3 or 4 kb/s. My Web Browsing is the same but my downloading is not. So I suspect Virus.... again. *sigh* *sob* :cry:

I am going to perform a Virus Scan with Ewido, MS AntiSpyware and Norton now and after that. I'll post another HJT LOG

Thanks and Sorry again :D ...... :( ....... :cry:
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby Ryuji35 » April 18th, 2006, 10:44 am

ok, I am done scanning and my computer detects 2 Trojan horse dialers which the Norton and the MS AntiSpyWare deleted. But the connection is still the same. So I really don't think it was completely gone. :cry: :cry: :cry: i don't know if this is another problem, so if I need to post this to another topic just let me know :cry: :cry: :cry:

Thanks!

The FF are my logs:
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby Ryuji35 » April 18th, 2006, 10:44 am

Logfile of HijackThis v1.99.1
Scan saved at 10:49:29 PM, on 4/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Encarta\Encarta Premium 2006\EDICT.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\HighjackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E06ADXRC_3471343] "C:\Program Files\Microsoft Encarta\Encarta Premium 2006\EDICT.EXE" -m
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 6136860062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7990772500
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://activex.microsoft.com/controls/i ... iemenu.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lob ... ttings.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
Ryuji35
Regular Member
 
Posts: 85
Joined: January 15th, 2006, 8:27 pm
Location: Asia

Unread postby agrarianmonk » April 18th, 2006, 3:05 pm

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 81 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware