Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Not open for further replies.
1 - 4 of 4 Posts

· Registered
27 Posts
Discussion Starter · #1 ·
I recently ran RAV Antivirus - Scan Online and it found 10 infections, what should I do?

Here is the scan log:

Scan started at 1/18/2005 4:42:15 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Mike\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\>javainstaller/InstallerApplet.class - TrojanDownloader:Java/OpenStream.I -> Infected
C:\Documents and Settings\Mike\Local Settings\Temp\iinstall.exe - TrojanDownloader:Win32/IstBar.GF -> Suspicious
C:\Documents and Settings\Mike\Local Settings\Temp\optimize.exe - TrojanDownloader:Win32/Dyfuca.CZ -> Infected
C:\Program Files\Internet Explorer\dhosfgyx.exe - TrojanDropper:Win32/Small.gen -> Infected
C:\Program Files\Internet Explorer\exvqmbpp.exe - TrojanDropper:Win32/Small.gen -> Infected
C:\Program Files\Internet Explorer\voppqixb.exe - TrojanDropper:Win32/Small.gen -> Infected
C:\WINDOWS\emiqj.exe - TrojanDownloader:Win32/IstBar.GC -> Infected
C:\WINDOWS\SSK_B5.EXE - TrojanDropper:Win32/Small.NF -> Infected
C:\WINDOWS\Downloaded Program Files\exvqmbpp.exe - TrojanDropper:Win32/Small.gen -> Infected
C:\WINDOWS\Downloaded Program Files\server.exe - TrojanDropper:Win32/Small.gen -> Infected
C:\WINDOWS\system32\dnsauth.dll - TrojanProxy:Win32/Webber.L -> Infected
C:\WINDOWS\system32\dx9vbc.dll - TrojanProxy:Win32/Webber.M -> Infected
C:\WINDOWS\system32\hded.dll - HackTool:Win32/Hidproc.A -> Infected
C:\WINDOWS\system32\hdji.dll - HackTool:Win32/Hidproc.A -> Infected
C:\WINDOWS\system32\hdrq.dll - HackTool:Win32/Hidproc.A -> Infected
C:\WINDOWS\system32\iecust.dll - Trojan:Win32/StartPage.PU -> Infected
C:\WINDOWS\system32\msde.dll - TrojanDownloader:Win32/Agent.EX -> Infected
C:\WINDOWS\system32\msef.dll - TrojanDownloader:Win32/Agent.EX -> Infected
C:\WINDOWS\system32\mshi.dll - TrojanDownloader:Win32/Agent.EX -> Infected
C:\WINDOWS\system32\msst.dll - TrojanDownloader:Win32/Agent.EX -> Infected
C:\WINDOWS\system32\mstu.dll - TrojanDownloader:Win32/Agent.EX -> Infected
C:\WINDOWS\system32\setvers.exe->(UPXW) - TrojanDropper:Win32/Small.NA -> Suspicious

Objects: 27883
Directories: 1872
Archives: 6143
Size(Kb): 714108
Infected files: 20

Viruses found: 10
Suspicious files: 2
Disinfected files: 0
Mail files: 49

My current Highjack This log:

Logfile of HijackThis v1.99.0
Scan saved at 5:00:25 PM, on 1/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PREVX\Prevx Home\SAGUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\PREVX\Prevx Home\PXAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [WrCtrl] C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe
O4 - Startup: Quick Macros.lnk = C:\Program Files\Quick Macros 2\qm.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent - Prevx Ltd. - C:\Program Files\PREVX\Prevx Home\PXAgent.exe

· Registered
49,013 Posts
RAV did good, the log looks ok.

Delete all files in this folder C:\Documents and Settings\Mike\Local Settings\Temp

I assume you know what this is C:\Program Files\Quick Macros 2\qm.exe

· Registered
49,013 Posts
Not sure how it works, but I suspect it removed them as it could not clean them as they are not legit files.

You could look for them and delete them - Delete everything in this folder

C:\Documents and Settings\Mike\Local Settings\Temp

Turn off and then back on your restore points

Please get these for the future

AdAware SE
SpyBot S&D 1.3

DL them (they are free), install them, check each for their
definition updates
and then run AdAware and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
SpyBot - After an update run immunize
1 - 4 of 4 Posts
Not open for further replies.