0

Hello, I am new to daniweb but have heard lots of good things, and I like what I see. I'm using XP. I have a problem with internet Explorer. I have been using it for couple of years now with no problems. I have been using AVG for security. All of a sudden monday IE starting opening new windows every couple of minutes own its own only when I'm using IE. Also AVG started alerting me of possible virus threats. In 2 1/2 years I have never had one threat, now I'm getting two or three a day. I am not 100% computer intelligent but I can follow directions. I see alot of people posting hijackthis stuff, I don't know what that is. I have most of the potential virus threats in the virus vault in AVG. I just need help getting this off my computer. I assume it is some kind of virus hidden in it. It is very frustrating. I have had my house broken into twice in my life (only 30), and it kinda feels the same way, somebody is violating my privacy!! Any help is APPRECIATED!! Like is said, I'm probably only about 65% computer intelligent, but can listen very Well. Thank you.
I forgot to add, I keep getting the message = Microsoft visual C++ Runtime Library Buffer overrun detected Program C:windows\explorer.exe
I don't think I was getting that message before this all started. Thanks again.

Tony

5
Contributors
15
Replies
16
Views
9 Years
Discussion Span
Last Post by jholland1964
0

It does sound like you have a trojan in there feeding you malware. Ok, let's do this [in this order...]to see what shows up:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:22 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Tony\Desktop\hijackthis\imabunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 66.197.153.197 idenupdate.motorola.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\nnnommj.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {9ABBF08B-E836-4BF0-B571-F20A3C6DA202} - C:\WINDOWS\system32\mlljj.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BMffce3aeb] Rundll32.exe "C:\WINDOWS\system32\biopjvmw.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://mppv2flash3.valueactive.com/SportsInterAction/FlashAX.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{808554B0-3EC8-48EF-B6B4-7F947CE4387F}: NameServer = 209.143.0.10
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\QBooksW\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: nnnommj - nnnommj.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

--
End of file - 7317 bytes

0

ComboFix 08-04-04.1 - Tony 2008-04-05 11:07:55.1 - NTFSx86
Running from: C:\Documents and Settings\Tony\Desktop\bleeping computer\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMffce3aeb.xml
C:\WINDOWS\hosts
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\biopjvmw.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\dswtxxnu.dll
C:\WINDOWS\SYSTEM32\jjllm.ini
C:\WINDOWS\SYSTEM32\jjllm.ini2
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\pknotkly.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-04 20:28 . 2008-04-04 20:28 <DIR> d-------- C:\Program Files\New Folder
2008-03-26 20:13 . 2008-03-27 07:58 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 14:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-03 21:55 10,812 ----a-w C:\Documents and Settings\Tony\Application Data\wklnhst.dat
2008-03-27 00:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-13 08:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-10 21:12 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-02-10 21:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-10 21:00 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-10 19:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\COMMON FILES
2006-12-12 23:19 61,416 ----a-w C:\Documents and Settings\Tony\Application Data\GDIPFONTCACHEV1.DAT
2005-09-05 02:28 2,378 ----a-w C:\Documents and Settings\Sara\Application Data\wklnhst.dat
2004-07-05 15:21 59,864 ----a-w C:\Documents and Settings\Sara\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-18 08:20 77824]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 11:05 53248]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05 323584]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 02:01 155648]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 05:39 579072]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 08:16 528384]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 04:39 219136]

C:\Documents and Settings\Tony\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-12-02 23:21:38 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-05-18 08:18:11 24576]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-06-25 06:25:38 614531]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-01-13 20:44:46 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnommj]
nnnommj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3CODECA.ACM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Ratbag\\Dirt Track Racing - Sprint Cars\\DTRSC.exe"=
"C:\\QBOOKSW\\QBDBMgrN.exe"=

S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 10:27]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 15:54]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 15:54]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 15:54]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys [2007-04-23 15:54]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 15:54]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 11:19:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
.
**************************************************************************
.
Completion time: 2008-04-05 11:26:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-05 15:26:45
Pre-Run: 66,459,242,496 bytes free
Post-Run: 67,025,489,920 bytes free
.
2008-03-12 07:03:14 --- E O F ---

0

PROTECTIONS: 1
MALWARE: 37
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG 7.5.519 7.5.519 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00027660 adware/savenow Adware No 0 Yes No hkey_classes_root\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader.1
00027660 adware/savenow Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
00027660 adware/savenow Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
00027660 Adware/SaveNow Adware No 0 Yes No C:\Program Files\BearShare\Installer\saveinstwm.exe
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Tony\Cookies\tony@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Tony\Cookies\tony@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@tradedoubler[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Tony\Cookies\tony@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Sara\Cookies\sara@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@mediaplex[2].txt
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@maxserving[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Sara\Cookies\sara@com[2].txt
00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@z1.adserver[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@statcounter[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@www.burstbeacon[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@media.adrevolver[3].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@ads.pointroll[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@questionmarket[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@bluestreak[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@adrevolver[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Sara\Cookies\sara@go[1].txt
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@valueclick[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@atwola[1].txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Sara\Cookies\sara@ehg-dig.hitbox[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Patch\Cookies\patch@ads.addynamix[1].txt
00527204 Application/PRScheduler HackTools No 0 Yes No C:\DOCUMENTS AND SETTINGS\TONY\START MENU\PROGRAMS\STARTUP\POWERREG SCHEDULER V3.EXE
00958880 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Tony\Desktop\Unused Desktop Shortcuts\BSINSTALL.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1407\A0052341.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1407\A0052336.sys
02910179 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\catchme2008-04-05_111924.75.zip[Documents and Settings/Tony/Desktop/catchme.zip][mlljj.dll]
;===================================================================================================================================================================================
SUSPECTS
Sent Location ];
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ];
;===================================================================================================================================================================================
;===================================================================================================================================================================================

0

Ok! I guess I need to take some action! I will be waiting futher instructions. I appreciate all your help!!! THank you, thank you, thank you!!!!!!!!!!

Tony

0

Mmmm... there's not so much to do now. First of, start Hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\nnnommj.dll (file missing)
O2 - BHO: (no name) - {9ABBF08B-E836-4BF0-B571-F20A3C6DA202} - C:\WINDOWS\system32\mlljj.dll
O4 - HKLM\..\Run: [BMffce3aeb] Rundll32.exe "C:\WINDOWS\system32\biopjvmw.dll",s
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: nnnommj - nnnommj.dll (file missing)

Good.
The Panda log explained [Panda Online Scan confines itself to removing viruses and worms, but it does point out other malware]:
-when you run CCleaner it only removes cookies from your account, hence some cookies from Patch's ac show in the log - if Patch runs CCleaner they will be removed [they are all benign..]. You can configure CCleaner to remove such items from all accounts if you so wish, it's fairly easy to set it but I won't go into it here.
-Bearshare. It has adware associated with it - savenow. I can remove that for you but doing so may break Bearshare - I don't know. If you go ahead and remove it and Bearshare stops working it is your choice whether to uninstall or reinstall BS.

==PSEXEC - did you load this? ==

Actually, the quickest way to clean all those Panda detections is to run this tool:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

0

TY TY TY TY!!!!!!!

I fixed with hijackthis.
Ran cleaner with all users.
I don't think bearshare is a problem cuz there ads only run when it is running and that isn't often. Unless you think they lead to something more serious?
I'm not against paying for better protection if you think I should. I don't want to spend a bunch but gimmie your opiniun.
I can't thank you enough!!!!!!!!!!!!!!!!!!!!!! I will spred the word. Daniweb.................
Here is the other log. Thank you!!!!!!!!!!!!!!!!!!!!!!!

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:28:05 AM 4/6/2008

+ Scan result:

C:\Documents and Settings\Tony\Cookies\tony@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Tony\Cookies\tony@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Tony\Cookies\tony@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Tony\Cookies\tony@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Tony\Cookies\tony@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Tony\Cookies\tony@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end

0

Nice work, Tony. No, the ads on BearShare do not lead to anything worse.
This is an important question, though:
PSEXEC - did YOU install this tool?
Cheers.

0

I guess I don't know. Do you mean it is on my computer or it needs to be on it. If it is on it I guess I don't know if I loaded it. I looked at the logs and see it on there so I'm assuming it is on my computer. What would I use it for. I don' t know if I put it there or not!! I don't remember using anything recently where I would have seen it? Let me know. THank you for your concern!!!!

Hey, I just looked and C:\windows.psexesvc was created yesterday about the time I was at the Panda site. Does that make sense? Anyways just let me know what to do. Thank again. You're making it so easy for me!!!!!!!!!!!!!!!!!

0

PSEXEC is a tool from Microsoft. Here: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
-see this::: PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools...
and this::: Note: some anti-virus scanners report that one or more of the tools are infected with a "remote admin" virus. None of the PsTools contain viruses, but they have been used by viruses...
My point is that it is a useful tool for a trojan to include. So if you don't do remote system operation like issuing Telnet commands or similar, amy I suggest that you search for and delete:
C:\WINDOWS\PSEXESVC.EXE
Now....

0

Ok, I searched that and deleted it and emptied the recycle bin. I assume that is it? If so, I thank you so much............. Once again, you made the directions very simple for me to follow. I appreciate it!!! Thank you


Tony

0

Cheers, tony. Because that was a remote operating trojan if you do notice anything strange rerun Panda after a few days [CClean first, all accounts] and repost here.
If you do online banking, purchasing, emailing, it would be wise to change passwords now. I would. Just in case. Good luck out there.

0

Hey, I have the exact same thing.. I was wondering if you guys could help me out. I don't know what I/someone else on the laptop downloaded, but it is the exact same thing as tony's. IE adds keep popping up every munite or so. I was wondering if you could help out.

0

Hey, I have the exact same thing.. I was wondering if you guys could help me out. I don't know what I/someone else on the laptop downloaded, but it is the exact same thing as tony's. IE adds keep popping up every munite or so. I was wondering if you could help out.

Kevin, this thread is 2 years old and solved. You need to begin your own thread, stating all problems exactly and also give us the following information; operating system, security programs, what steps have you attempted to fix your problems.
Also please follow the steps given in the link below and post those results to your own NEW thread. Somebody will be happy to help you.

http://www.daniweb.com/forums/thread134865.html

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.