Infected with blackbox.class,Dummy.class,verifierBug.class

Viruses and worms
1

hi, i have an Avast AV and i have been infected with the following viruses:Infected with Blackbox.class,Dummy.class,VerifierBug.class

i think they all came from the same website and avast AV wasn’t able to delete these viruses. I even tried scanning my MS XP S2 in the safe mode but the antivirus coudn’t detect them at all. Currently Avast can’t detect these neither in normal or safemode.

My back up was also deleted by the AV because i forgot to uncheck the system restore in cmputer my properties

When i click on a yahoo search page, another website keeps opening called “netwebsearch.com

i used RAV online antivirus,trend micro and i tried to scan it with panda online AV but there was a problem and it didn’t work.i think the virus might be preventing it and also the interface of my avast AV changed since the viruses executed themselves.

i still couldn’t get rid of these viruses even though i tried ad aware,spybot,x cleaner,stinger,a2

i also keep getting a a message from Avast saying DCOM Exploit from TCP packet 220 122 …

i don’t what else to do plzzzzzzzz hellllllllllllllllllllllpp
here is my hijack this:

Logfile of HijackThis v1.98.2
Scan saved at 00:24:16, on 15/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\adprot.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AnalogX\MaxMem\maxmem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Documents and Settings\Administrator\Desktop\Downloads1\hijackthis\HijackThis.exe
C:\Documents and Settings\Administrator\Desktop\Downloads1\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\system32\43152.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.113-big.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.113-big.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsearch.html
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\Wizard.html
O8 - Extra context menu item: Download with Chrysanth Download Manager - C:\Program Files\Chrysanth\NETime\Download Manager [Free]\CSLink.html
O8 - Extra context menu item: Download@Once - C:\Program Files\Chrysanth\NETime\Download Manager [Free]\CSSnapShot.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page… - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\Parser.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmtrans.html
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - http://register.btinternet.com/templates/btmailcontrol013.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip..{72AF9B5A-686D-4C04-90CB-4DC4238DDAA6}: NameServer = 213.1.119.97 213.1.119.98

2

You could try Eddy’s link

http://members.home.nl/edeijl/ache/cleaning.htm

3

What is adprot.exe? Even google comes up with almost nothing on it.

The rest of the log is ok.

4

I am brand new to this forum. I registered specifically to help out with this post.

I too had a problem with another IE window directed to “netwebsearch.com” poping up whenever I clicked on a search on google, yahoo, etc. In addtion, I was getting some occacional adblaster2 popups . After hours and hours of analysis I figured out a solution.
Your Hijack entry : O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\system32\43152.dll is the cupprit. But, if you remove (fix) it, it will appear again within a few seconds using a different dll such as 65322.dll or 123456.dll or some other number. If you look in your …WINDOWS/SYSTEM32, you should see a pair of files called 43152.dll and 43152.exe. If you run you mouse over them you will see that they are from a company named ESD Technologies. You probably will see other such matching pairs that are basically the same program and dll, but named differently. They all start with numbers followed by .exe and .dll. Any one of these exe’s can create the BHO entry that is causing your problem (with its matching dll). NOW, if you delete them all, NEW PAIRS WILL APPEAR AGAIN AND CREATE HE BHO ENTRY AGAIN !!!.
HOW DID I STOP IT??? Well, form what I have been able to determine, the program adprot.exe is responsible for creating these exe/dll pairs that in turn create your BHO entry. >:(
Here is what I did to finally get rid of this nighmare:

  1. I went into Task Managaer and deleted the running process adprot.exe
  2. I deleted the program adprot.exe from the hard drive.
  3. I executed REGEDIT from the run window, did a find on “adprot.exe”, and deleted the registry entry that contained this program. This registry entry was starting adprot.exe whenever I booted up.
  4. I went back into Task Manager and deleted the running process that created the BHO entry. It should have the same name as the dll file in the BHO entry.
  5. I used hijack this to fix (remove) the offending BHO entry.
  6. IMMEDIATELY, I went back into my Window/System32 folder and deleted all the exe/dll pair of files that have this ESD Technologies signature. You shold be able to find them all grouped togehter in your Windows/System32 folder if you sort by name (since they all start with numbers). Aagin if you run your mouse over them you will see the ESD Technologies signature.
  7. I emptied my recylce bin.

This seems to have fixed the problem. Good luck. Please feel free to contact me via email if you have any questions.