Downloader.Small.EQ trojan - HJT log included

Discussion in 'adware, spyware & hijack cleaning' started by Mur68, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. Mur68

    Mur68 Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    4
    Downloader.Small.EQ trojan - updated HJT log

    My computer started acting funny yesterday after I received a suspicious e-mail. I ran my normal AV (eTrust EZ Antivirus) and it did not find anything. So then I ran Panda, Trendmicro, Symantec, McAfee and Ravantivirus scans, which found a couple of things, but I could tell there was still something wrong. Then I found a post which suggested AVG Anti-Virus. AVG has found Trojan Downloader.Small.EQ, and says that it is in this file:

    c:\Documents and Settings\Noelie Burke\Local Settings\Temporary Internet Files\Content.IE5\YXPY3MTS\Browser_Plugin[1].exe. It doesn't always say YXPY3MTS; sometimes it's KBD76AJ5, or NYSZBTSX.

    AVG heals this trojan, but it comes back within seconds. What I've done so far:

    The virus scans mentioned above.
    Run AdAware and SpyBot several times.
    Manually removed the file.
    Manually removed the file in safe mode.
    Healed with AVG at least three times.
    EDIT: I also deleted all Temp Files, Temporary Internet Files and Cookies and turned off system restore.

    It just won't leave. :( Any help would be greatly appreciated. Here's my HJT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:10:10 PM, on 6/22/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\BellSouth\Client Foundation\CFD.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\realmon.exe
    C:\Program Files\Automatic Update\AutoUpdate.exe
    C:\windows\system\helper.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Amaprt\MainSrv.exe
    C:\Amaprt\AmaPrt.exe
    C:\Amaprt\ComAdapt.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\InoTask.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Noelie Burke\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://na.agentnet.com/anet/index.jsp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BellSouth\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\realmon.exe"
    O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
    O4 - HKLM\..\Run: [help] C:\windows\system\helper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O15 - Trusted Zone: *.agentnet.com
    O15 - Trusted Zone: *.amadeuscruise.com
    O15 - Trusted Zone: *.amadeusproweb.com
    O15 - Trusted Zone: http://*.amadeusproweb.com
    O15 - Trusted Zone: *.amadeusvista.com
    O15 - Trusted Zone: http://*.amadeusvista.com
    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/univ/ski/x/jmp8x.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://us.amadeusvista.com/common/cabs/VistaPWComms.CAB
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/DownloadManager.ocx
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeusvista.com/common/cabs/MSIInspect.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E037FC50-FE36-11D3-BEEB-00008322EEB5} (PPUpdate Class) - http://us.amadeusproweb.com/proprinter/PPUpdateATL.CAB
    O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://us.amadeusvista.com/common/cabs/AmadeusInit.CAB
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4343/mcfscan.cab
     
    Last edited: Jun 24, 2004
  2. Mur68

    Mur68 Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    4
    Since posting this, I have also updated with all Microsoft updates. I've also run more AV and trojan scans, to no avail. Also, I thought I would post what the file is that keeps popping into my Temporary Internet Files. It is:

    hxxp://217.73.66.1/del/Browser_Plugin.exe

    Updated HJT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:16:38 PM, on 6/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Amaprt\MainSrv.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\BellSouth\Client Foundation\CFD.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\realmon.exe
    C:\Program Files\Automatic Update\AutoUpdate.exe
    C:\windows\system\helper.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Amaprt\AmaPrt.exe
    C:\Amaprt\ComAdapt.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\InoTask.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Noelie Burke\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://na.agentnet.com/anet/index.jsp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BellSouth\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\realmon.exe"
    O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
    O4 - HKLM\..\Run: [help] C:\windows\system\helper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
    O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O15 - Trusted Zone: *.agentnet.com
    O15 - Trusted Zone: *.amadeuscruise.com
    O15 - Trusted Zone: *.amadeusproweb.com
    O15 - Trusted Zone: http://*.amadeusproweb.com
    O15 - Trusted Zone: *.amadeusvista.com
    O15 - Trusted Zone: http://*.amadeusvista.com
    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/univ/ski/x/jmp8x.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://us.amadeusvista.com/common/cabs/VistaPWComms.CAB
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/DownloadManager.ocx
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeusvista.com/common/cabs/MSIInspect.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38160.9163888889
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E037FC50-FE36-11D3-BEEB-00008322EEB5} (PPUpdate Class) - http://us.amadeusproweb.com/proprinter/PPUpdateATL.CAB
    O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://us.amadeusvista.com/common/cabs/AmadeusInit.CAB
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4343/mcfscan.cab
     
    Last edited by a moderator: Jun 25, 2004
  3. Mur68

    Mur68 Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    4
    Bump.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Mur68,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will now end up on your desktop..

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
    O4 - HKLM\..\Run: [help] C:\windows\system\helper.exe

    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/univ/ski/x/jmp8x.exe

    Then reboot and in IE click Tools > Internet-options > General tab > Delete Files and put a checkmark in the confirmation box statingbthat you want to include offline content.

    Don't delete any other files yet. Let me know if it helped.

    Regards,

    Pieter
     
  5. Mur68

    Mur68 Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    4
    Hi Pieter,

    Thank you soooo much for responding. :)

    I think it's gone. I'm afraid to speak to soon, but it's been an hour since I followed your directions, and I'm not getting anymore evil popups from AVG saying that the trojan is back, and that file isn't appearing in my temp internet file anymore. After the last week of this trojan, it's kind of hard to believe it's gone, but it looks like it is.

    Thank you again, I was really at wit's end. :D
     
Thread Status:
Not open for further replies.