Problems with IE

ccoal · Aug 30, 2005

Hi,
First sorry for my bad english.
I have problem with IE, it wont open any adress I type in, while Firefox is working just fine. Before that I got alert from NOD32:

C:\WINDOWS\SYSTEM32\IE2CLTR.DLL Win32/Adware.Toolbar.SBSoft application quarantined - deleted ENTERBAZA\alex Event occurred when attempting to access the file.

Can anyone help me?

Here is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 21:02:59, on 30.8.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\windows\System32\Linksts.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\mysql\bin\winmysqladmin.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\windows\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aleksandar\Desktop\software\adware\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.136.157.34:80
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Aleksandar\Application Data\Mozilla\Profiles\default\3b0j6dro.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: 3D!Turbo Experience.lnk = C:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D15F28E-4710-4DF0-9593-27B21504E9C5}: NameServer = 69.50.176.156 195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D15F28E-4710-4DF0-9593-27B21504E9C5}: NameServer = 69.50.176.156 195.225.176.31
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

sjpritch25 · Aug 30, 2005

your antivirus seemed to clean it out. you had the "BHO.SeachToolbar" installed on your system. You should be clean. Just make sure this item doesn't return on your system.

O2 - BHO: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\IE2CLTR.DLL

MicroBell · Aug 31, 2005

Hi and Welcome to TF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Ad-AwareÂ® SE Personal Edition
*Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
Spybot Search & Destroy
CWShredder

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure itÂ’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edg...loadManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D15F28E-4710-4DF0-9593-27B21504E9C5}: NameServer = 69.50.176.156 195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D15F28E-4710-4DF0-9593-27B21504E9C5}: NameServer = 69.50.176.156 195.225.176.31

c:\eied_s7.cab <--delete that file
c:\ex.cab <--delete that file

Reboot into normal mode..

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log.

ccoal · Aug 31, 2005

I have done all you have said. IE now works fine, but I think problem was in HideIP software, becouse HideIP have changed my proxy. But I am concerned about 18 viruses that panda active scan found on my PC, becouse NOD32 havent found anything(I scan my PC every week, and regularly do updates + I use Zone Alarm firewall).Here are new logs:

Logfile of HijackThis v1.99.1
Scan saved at 22:26:20, on 31.8.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\windows\System32\Linksts.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\mysql\bin\winmysqladmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\windows\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aleksandar\Desktop\software\adware\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents

and Settings\Aleksandar\Application Data\Mozilla\Profiles\default\3b0j6dro.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor

Pro.exe" /minimized
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: 3D!Turbo Experience.lnk = C:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program

Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program

Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D15F28E-4710-4DF0-9593-27B21504E9C5}: NameServer =

69.50.176.156 195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D15F28E-4710-4DF0-9593-27B21504E9C5}: NameServer =

69.50.176.156 195.225.176.31
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice

(file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\windows\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

PANDA LOG:

Incident Status Location

Adware:adware/sbsoft No disinfected C:\WINDOWS\SYSTEM32\dumpsprep.exe
Dialer:dialer.avb No disinfected C:\WINDOWS\SYSTEM32\qwinnta.exe
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
Adware:adware/adsmart No disinfected C:\dkload.exe
Adware:adware/startpage.acd No disinfected C:\xxx.exe
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET
Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ
Adware:adware/savenow No disinfected Windows Registry
Dialer:dialer.xd No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD\SYSTEMCHECK2
Adware:adware/xplugin No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-192836cc.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-192836cc.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-192836cc.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-192836cc.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3821a986-7749889b.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3821a986-7749889b.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3821a986-7749889b.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3821a986-7749889b.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7c31c2d1.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7c31c2d1.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7c31c2d1.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7c31c2d1.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7b975c36-449c1eb0.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7b975c36-449c1eb0.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7b975c36-449c1eb0.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aleksandar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7b975c36-449c1eb0.zip[Installer.class]
Virus:Trj/Downloader.YD Disinfected C:\Documents and Settings\Aleksandar\Desktop\crx\CorelDRAW_Graphics_Suite_v12.zip[zqb.exe]
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Aleksandar\Desktop\software\adware\backups\backup-20050831-190659-326.inf
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Aleksandar\Desktop\software\adware\backups\backup-20050831-190659-578.inf
Adware:Adware/SaveNow No disinfected C:\Program Files\BearShare\Installer\saveinstwm.exe
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
Spyware:Spyware/ISTBar No disinfected C:\WINDOWS\gltdwif.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\system32\dumpsprep.exe
Virus:Trj/DNSChanger.I Disinfected C:\WINDOWS\system32\ipdnssec6.exe
Dialer

ialer.AVB No disinfected C:\WINDOWS\system32\qwinnta.exe
Possible Virus. No disinfected D:\tema_broja\desktop\EssentialPIM\essentialpim1_usb.zip[EssentialPIM.exe]

MicroBell · Sep 1, 2005

Please turn off wordwrap or close the spaceing on your log as it's hard to read.

Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Download and install Cleanup but DO NOT run it yet!

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once you reboot...boot back to safe mode.

Clear your Java Cache..

1. From the Start button, click Settings > Control Panel
2. In the Control Panel, open the "Java Plug-in Control Panel"
3. Select the Cache Tab
4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory

C:\Documents and
Settings\Aleksandar\Desktop\software\adware\backups <--delete ALL files in that folder (KEEP the folder)

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the [Save report] button
Save the report to your desktop

Close Ewido

Run hijackthis and fix the following entrys...

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D15F28E-4710-4DF0-9593-27B21504E9C5}:NameServer=69.50.176.156
195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D15F28E-4710-4DF0-9593-27B21504E9C5}: NameServer = 69.50.176.156 195.225.176.31

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletionÂ…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\SYSTEM32\dumpsprep.exe
C:\WINDOWS\SYSTEM32\qwinnta.exe
C:\dkload.exe
C:\xxx.exe
C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
C:\WINDOWS\gltdwif.exe
C:\WINDOWS\system32\ipdnssec6.exe
C:\Program Files\BearShare\Installer\saveinstwm.exe

Once you reboot.. Run another Panda scan and post it's log along with that Ewido scan log and a new hijackthis log.

Problems with IE

ccoal

Beta member

sjpritch25

In Runtime

MicroBell

Daemon Poster

ccoal

Beta member

MicroBell

Daemon Poster

Similar threads