944,144 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > HJT log and question about WinAntiVirus2005 pro
Ad:
Permalink
Mar 11th, 2005
0

HJT log and question about WinAntiVirus2005 pro

Expand Post »
Hi I have a IBM Thinkpad T20 with a pentium III running XP professional.

A program highjacked my desktop about two days ago. It turned my desktop black with a big WARNING sign about spyware with a place to click into for a solution. I think that this is an advertisement for some anti-virus company or something so I dont click into it. When a triangular :!: symbol appeared in my task bar I thought that this is my outdated norton antivirus telling me there is a problem. I click into the balloon and it takes me to what looks like a msn search page with a list of places to get anti-spyware. I had had a problem with spyware before on another computer and was able to fix it with help from a forum such as this one. I consider doing the same thing but I didn't have a lot of time so, after remembering how much time it took me the last time, I say to myself "I guess i need updated virus protection software anyway let me just buy this new package that updates daily for one year and get back to work". I buy winantivirus 2005 pro with the anitspyware and anti popup ad firewall package and proceed to install it. it tells me that I have to uninstall all other anti virus anti spyware stuff off of my computer for it to work. This dosent sound right to me and then i start to notice that it seems that the thing that had highjack my desktop was just and advertisment for the company i just bought my anti highjack package. I feel like i just paid protection money to the mob. :mad: did I get taken? any way I still have spyware on my computer. Panda has detected the same thing twice after I ran the WinAntiVirus. Below you can find the HJT log, an activescan report and the one from WAV2005pro. THank you in advance for any help with this problem. Peace G

Activescan:

Incident Status Location

Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Personal\Favorites\Search the web.url
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\System32\spoolsrv32.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\A0138686.exeggbwkfnq
Virus:Trj/Downloader.ASF Disinfected C:\WINDOWS\system32\spoolsrv32.exe
High Jack This:

Logfile of HijackThis v1.99.1
Scan saved at 1:42:30 PM, on 3/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe
C:\Program Files\WinAntiVirus 2005 Pro\pgeng.exe
C:\Program Files\WinAntiVirus 2005 Pro\cs_srv.exe
C:\Program Files\WinAntiVirus 2005 Pro\Quar.exe
C:\Program Files\Common Files\WinSoftware\VapFM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\WinAntiVirus 2005 Pro\WinAV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.sunrise.ch/en/hom/default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro\winpgi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\System32\Belkin\F5U109\PostCopy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\System32\winstarter.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB003" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [AVTray] "C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe"
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://go.sunrise.ch/en/hom/default.asp
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1110553832768
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FF2AAB0-80DB-42E9-8845-6B2CE2906C5A}: NameServer = 80.58.61.250,80.58.61.254
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe


WinAntiVirus would n't let me copy paste thier report here is what I found int he report:

4 files infected with: Win32.bagle.3.gen@mm
1 file infected with: Trojan.dropper.small.oy
1 file infected with: Application.adware.powerreg.3.0

also a file named: hotmail-inbox.dbx (infected but the program says that I should use the mail client to eliminate it.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
gphoto is offline Offline
11 posts
since Mar 2005
Permalink
Mar 11th, 2005
0

Re: HJT log and question about WinAntiVirus2005 pro

WinAntiVirus does not have a good track record in the "trustworthy" department.

At the very least, they obviously try to fool the unobservant user into thinking that they're looking at Norton/Symantec error messages, subscription notices, etc., when in fact these are bogus ads and other popups from WinAntiVirus.
Additionally, they have even registered the domain "www.symantic.com", so that when users trying to go "www.symantec.com" mis-spell the URL, they are directed to WinAntiVirus' product page instead of Norton's.

Judging from the user reports I've read, I would highly suggest that you uninstall the program and demand a refund. You may have to bark at them a bit to get it, but other users who requested refunds say that they did get them.


Aside from the above, the following two entries in your log are indicative of trojan infections:

O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\System32\winstarter.exe
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe


Run a few additional online virus scans and see if they can do a bit more than Panda was able to do for you:

http://housecall.trendmicro.com/
http://www.kaspersky.com/scanforvirus.html
http://us.mcafee.com/root/mfs/default.asp?cid=9435
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Let us know the results of the scans and post a fresh log. As I said earlier, I would suggest that you uninstall WinAntiVirus before we proceed.
DMR
Team Colleague
Reputation Points: 221
Solved Threads: 369
Wombat At Large
DMR is offline Offline
6,439 posts
since Dec 2003
Permalink
Mar 12th, 2005
0

Re: HJT log and question about WinAntiVirus2005 pro

Hi DMR,
I eliminated the files you pointed out to me as indications of trojan infection and uninstalled the WAV2005. I am currently with out protection. Could you suggest a antivirus/antispyware that I can trust? here are the reports that I came up with. It seems that WIN2005 has left stuff on the hard drive along with Norton. Should these files still be there? Thank you again for you help. Peace.

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:09 AM, on 3/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Palm\HOTSYNC.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.sunrise.ch/en/hom/default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\System32\Belkin\F5U109\PostCopy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB003" /M "Stylus Photo R200"
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://go.sunrise.ch/en/hom/default.asp
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1110553832768
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...43/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FF2AAB0-80DB-42E9-8845-6B2CE2906C5A}: NameServer = 80.58.61.250,80.58.61.254
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE


Mcafee report:

File Name Virus Name
C:\...\A0138686.exeggbwkfnq Downloader-VV
C:\...\A0138686.exeggbwkfnq Downloader-VV
C:\...\iup1ldapspcs.exezvsrtkjp Proxy-Mitglieder
C:\...\mp3codec543.exeduxwfnfo Proxy-Mitglieder
C:\...\mp3codec543.exefircvscx Proxy-Mitglieder
C:\...\window.exerepggxrp Proxy-Mitglieder
C:\WINDOWS\iup1ldadbehv.exe BackDoor-CHN.gen
C:\WINDOWS\iup1ldaikrrx.exe BackDoor-CHN.gen
C:\WINDOWS\iup1ldartjwb.exe BackDoor-CHN.gen
C:\WINDOWS\system64.exe BackDoor-CHN.gen


RAV Scan:
Scan started at 3/12/2005 12:44:11 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume->Message.249: ("Bert summers" [RE: India Press Tour])->(part0002->(part0000->(SCRIPT0000) - VBS/ActiveXExploit* -> Infected
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\iup1ldapspcs.exezvsrtkjp->(FSGPE) - Win32/Bagle.gen! -> Suspicious
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exeduxwfnfo->(FSGPE) - TrojanProxy:Win32/Mitglieder.BK -> Suspicious
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exefircvscx->(FSGPE) - TrojanProxy:Win32/Mitglieder.BK -> Suspicious
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\window.exerepggxrp->(FSGPE) - Win32/Bagle.gen! -> Suspicious

Scanned
============================
Objects: 40952
Directories: 3131
Archives: 5479
Size(Kb): 257869
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 4
Disinfected files: 0
Mail files: 3399



Statistics

Scanned files: 40952
Scanned directories: 3131
Scanned archives: 5479
Size of the scanned files: 264058130
Packed files: 877
Known viruses found: 1
Virus bodies: 1
Suspicious files: 4

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 203619
Mail files: 3399




Found viruses
File: C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume->Message.249: ("Bert summers" [RE: India Press Tour])->(part0002->(part0000->(SCRIPT0000)
Virus: VBS/ActiveXExploit* Status: Infected

File: C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\iup1ldapspcs.exezvsrtkjp->(FSGPE)
Virus: Win32/Bagle.gen! Status: Suspicious

File: C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exeduxwfnfo->(FSGPE)
Virus: TrojanProxy:Win32/Mitglieder.BK Status: Suspicious

File: C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exefircvscx->(FSGPE)
Virus: TrojanProxy:Win32/Mitglieder.BK Status: Suspicious

File: C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\window.exerepggxrp->(FSGPE)
Virus: Win32/Bagle.gen! Status: Suspicious

Bit Defender:
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>related.htm: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\IGetNet.zip=>winstarter.exe: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\IGetNet.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\A0138686.exeggbwkfnq: infected with Trojan.Dropper.Small.OY
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\A0138686.exeggbwkfnq: disinfection failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume=>(message 38)=>(VBSCRIPT 1): infected with VBS.Redlof.A.dr
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume=>(message 38)=>(VBSCRIPT 1): deleted
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume=>(message 38): updated
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume: update failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\iup1ldapspcs.exezvsrtkjp: infected with Win32.Bagle.9.Gen@mm
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\iup1ldapspcs.exezvsrtkjp: disinfection failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exeduxwfnfo: infected with Win32.Bagle.3.Gen@mm
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exeduxwfnfo: disinfection failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exefircvscx: infected with Win32.Bagle.3.Gen@mm
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exefircvscx: disinfection failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\PowerReg Scheduler V3.exeaylnlfdx: infected with Application.Adware.PowerReg.3.0
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\PowerReg Scheduler V3.exeaylnlfdx: disinfection failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\window.exerepggxrp: infected with Win32.Bagle.9.Gen@mm
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\window.exerepggxrp: disinfection failed
Reputation Points: 10
Solved Threads: 0
Newbie Poster
gphoto is offline Offline
11 posts
since Mar 2005
Permalink
Mar 12th, 2005
0

Re: HJT log and question about WinAntiVirus2005 pro

1. Now that you've uninstalled WAV2005, you can safely delete the entire C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware folder (and any other WAV2005 folders that might exist). That will obviously get rid of most of the quarantined infected files the other AV scanners detected. If you still have Norton folders hanging around, you delete them as well.

Once you've done the above, run the online scans again (try the Kaspersky and Trend Micro scans this time too) and have them clean up the leftovers.

2. For a free anti-virus solution, give AVG a try. For more options, a list of free AV, firewall, etc. programs can be found here.

3. Your HijackThis log is clean now.
DMR
Team Colleague
Reputation Points: 221
Solved Threads: 369
Wombat At Large
DMR is offline Offline
6,439 posts
since Dec 2003
Permalink
Mar 14th, 2005
0

Re: HJT log and question about WinAntiVirus2005 pro

Thanks DMR,
I did all that you told me and ran AVG onmy machine and it said that I am free of malware and spyware. The thing that is wierd is that my machine is running very slow, abnormaly slow. Is there a file that I might have deleted that could have this effect? Besides that I am very happy. thank you again.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
gphoto is offline Offline
11 posts
since Mar 2005
Permalink
Mar 16th, 2005
0

Re: HJT log and question about WinAntiVirus2005 pro

The slowdown could be the result of something that got deleted, although the removal of the files/folders I specifically asked you to delete wouldn't cause the behaviour (and it certainly isn't being caused by AVG).

Is the slowdown "global" in the sense that it doesn't matter what programs you have running or what you're doing with/on the computer, or does it only occur under certain circumstances such as when you're online?
DMR
Team Colleague
Reputation Points: 221
Solved Threads: 369
Wombat At Large
DMR is offline Offline
6,439 posts
since Dec 2003
Permalink
Mar 17th, 2005
0

Re: HJT log and question about WinAntiVirus2005 pro

The slow down actually miracaluosly stopped yesterday. It was happening when I was running Word. it took forever (like 40 min forever) to open one document. once that was done it began to work normally. I think that it's ok. maybe a bit slower than it was before but normal the only thing that is a bit wierd is that when it was working to open that document it sounded like the Hard Drive was squealing. I mean a real high pitched eeeeeeeeeeeeeeeee. It stopped with the return of normal function but should I be worried? I'm considering reinstalling the Operating system but I dont want to do it if the computer is going to go soon. peace g
Reputation Points: 10
Solved Threads: 0
Newbie Poster
gphoto is offline Offline
11 posts
since Mar 2005
Permalink
Mar 17th, 2005
0

Re: HJT log and question about WinAntiVirus2005 pro

Might be time for a disk scan and a defrag; you could have some corrupted or heavily fragmented data on your disk.
DMR
Team Colleague
Reputation Points: 221
Solved Threads: 369
Wombat At Large
DMR is offline Offline
6,439 posts
since Dec 2003
Permalink
Mar 17th, 2005
0

Re: HJT log and question about WinAntiVirus2005 pro

Thanks. your right I haven't thought about all the stuff I just deleted. I will give it a try. Take care and thanks for your help.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
gphoto is offline Offline
11 posts
since Mar 2005
Permalink
Mar 17th, 2005
0

Re: HJT log and question about WinAntiVirus2005 pro

OK- give those a try and let us know the results.
DMR
Team Colleague
Reputation Points: 221
Solved Threads: 369
Wombat At Large
DMR is offline Offline
6,439 posts
since Dec 2003

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Pop up ads to buy Spyware and Homepage changed.
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: HJT log - win explorer, folders won't load





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC