|
|
|
w32.Myzor.FK@yf
|
|
|
dayglow2
Newbie
|
21. June 2006 @ 19:30 |
Link to this message
|
Hallo all.....
I have a problem with a virus called w32.Myzor.FK@yf -- I read other threads about the same problem wich other people had with this virus. I did a scan with SmitFraudFix and followed steps 1 and two where the program detects the virus and where it removes infected file, I also did the system registry fix with SmitFraudFix.
The Virus redirects me to a ddodgy website where a popup appears that says taht I have been infected with the w32.Myzor.FK@yf virus. In the beginning popups appeared in my system tray and I couldn't remove them. They also redirected me to this dodgy site. I did a scan with Norton Ativirus and managed to get rid of the popoups.
I still get redirected to this site and it seems that I am still infected with this virus.......
.......can anyone please help me? S.O.S!..........
Here's a HijackThis scan I did.......
Logfile of HijackThis v1.99.1
Scan saved at 05:18:13 AM, on 2006/06/22
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\Mam2Pan.Exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ismon.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\galopsop\Desktop\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7fcf04b6-6354-47ef-b45e-a48268e92757} - C:\WINDOWS\System32\ixt0.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mam2Pan] Mam2Pan.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
..........Please help.......... I will try to do aanother SmitFraudFix scan and paste it later.....thanx!
|
|
Advertisement
|
|
|
|
Senior Member
|
22. June 2006 @ 09:01 |
Link to this message
|
Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Unzip it (folder named SmitFraudFix) to your desktop:
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Post the contents of this textfile to here.
(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
Send a fresh hijack log and rapport.txt
|
|
dayglow2
Newbie
|
22. June 2006 @ 09:29 |
Link to this message
|
Hi Tapirii!
Thanks for the reply! I really apreciate it!
Here's what I got with SmitFraudFix:
SmitFraudFix v2.63
Scan done at 19:21:51.01, 2006/06/22
Run from C:\Documents and Settings\galopsop\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ixt0.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\galopsop\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
.....I managed to get rid of most of the harmfull files and the one: ixt0.dll , keeps on adding itself into my system32 folder, even if I delete it within safe mode or with SmitFraudFix. I also get redirected to this site the whole time..... So, somehow the file ixt0.dll keeps comming back............what to do?
here's a fresh hijack log..........
Logfile of HijackThis v1.99.1
Scan saved at 07:28:15 PM, on 2006/06/22
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\Mam2Pan.Exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ismon.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\galopsop\Desktop\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7fcf04b6-6354-47ef-b45e-a48268e92757} - C:\WINDOWS\System32\ixt0.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mam2Pan] Mam2Pan.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE254B04-534C-47EA-A2DF-7933E7DC1085}: NameServer = 168.210.2.2 196.14.239.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
|
|
dayglow2
Newbie
|
22. June 2006 @ 09:45 |
Link to this message
|
|
Hi, I just realised that this virus also interferes with my web browsing. It redirects to a "The page cannot be displayed" page wich doesent look similar to windows' version. It also displays a bar at the top saying that the page i'm looking for is blocked by spyware. The bar also supplies a link to, you guessed it, that dodgy virus homepage...........
|
Senior Member
|
22. June 2006 @ 10:03 |
Link to this message
|
Please download ewido anti malware it is a free version of the program -> http://www.ewido.net/en/download/
1. Install ewido security suite
2. When installing, under "Additional Options" uncheck..
* Install background guard
* Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
6. You will need to update ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates -> http://www.ewido.net/en/download/updates/
Once the updates are installed do the following:
Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop.
Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.
Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\ismon.exe
Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.
(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)
Reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Warning : Running option 2 in a clean computer will delete your desktop wallpaper.
Launch ewido:
* Click on scanner
* Click on Complete System Scan and the scan will begin.
* You will be prompted to clean the first infection.
* Select "Perform action on all infections", then proceed.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.
Reboot back to normal mode
Send a ewido report Smithfraudfixes rapport.txt and a fresh hijack log
|
|
dayglow2
Newbie
|
22. June 2006 @ 13:26 |
Link to this message
|
Hallo again Tpiiri! and thanks again for helping, it feels as though i'm getting somewhere........
Ok, like you ordered..........
......one order of a SmitFraudFix report special...........
(this is the report I got after I cleaned)........
SmitFraudFix v2.63
Scan done at 22:43:18.25, 2006/06/22
Run from C:\Documents and Settings\galopsop\Desktop\VIRUS\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
.........a side order of an Ediwo Report..........
(recieved 87 infected objects, I dont't know if I should really be alarmed, what should I do about the infections it found? The procedure with running Ediwo was different than you described. It did'nt give me the options at startup to * Install background guard * Install scan via context menu. And I was'nt prompted to clean the first infection. Does this matter?) anyway.........
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:12:46 PM 2006/06/22
+ Scan result:
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047012.dll -> Adware.WinAD : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047013.exe -> Adware.WinAD : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047014.exe -> Adware.WinAD : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047015.exe -> Adware.WinAD : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047016.exe -> Adware.WinAD : No action taken.
C:\!KillBox\ishost.exe -> Downloader.Zlob.qd : No action taken.
C:\!KillBox\ismon.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP259\A0043749.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP260\A0044748.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045482.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045523.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045608.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045633.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045648.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045650.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045716.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045764.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045785.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045823.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045831.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0046832.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0046833.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047010.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047101.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047212.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048211.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048250.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048262.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048285.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048299.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048305.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048586.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048620.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048636.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048645.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048662.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049664.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049672.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049709.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049716.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049723.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049737.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049746.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049754.exe -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP264\A0049801.EXE -> Downloader.Zlob.qd : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP264\A0049803.EXE -> Downloader.Zlob.qd : No action taken.
C:\!KillBox\issearch.exe -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP259\A0043748.dll -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP260\A0044749.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045483.dll -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045524.dll -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045609.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045632.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045647.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045651.dll -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045715.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045765.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045786.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045822.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045830.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0046831.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047009.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047100.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047211.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048212.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048249.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048263.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048286.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048298.dll -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048306.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048585.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048619.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048635.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048653.dll -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048671.dll -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049662.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049671.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049707.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049715.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049724.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049730.dll -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049745.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049753.DLL -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP264\A0049802.EXE -> Downloader.Zlob.uf : No action taken.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP264\A0049809.DLL -> Downloader.Zlob.uf : No action taken.
C:\WINDOWS\SYSTEM32\components\flx5.dll -> Not-A-Virus.Hoax.Win32.Renos.cv : No action taken.
C:\Documents and Settings\galopsop\Cookies\galopsop@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
::Report end
............and some hijack desert :-)...........
Logfile of HijackThis v1.99.1
Scan saved at 11:24:32 PM, on 2006/06/22
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Mam2Pan.Exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\galopsop\Desktop\VIRUS\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mam2Pan] Mam2Pan.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE254B04-534C-47EA-A2DF-7933E7DC1085}: NameServer = 168.210.2.2 196.14.239.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.....thanks come again............
|
Senior Member
|
22. June 2006 @ 20:18 |
Link to this message
|
Hi dayglow2,
Better now, but you didn't follow instructions :
Quote:
Launch ewido:
* Click on scanner
* Click on Complete System Scan and the scan will begin.
* You will be prompted to clean the first infection.
* Select "Perform action on all infections", then proceed.
Thats why Ewido didn't remove anything :(
Quote:
C:\WINDOWS\SYSTEM32\components\flx5.dll -> Not-A-Virus.Hoax.Win32.Renos.cv : No action taken.
C:\Documents and Settings\galopsop\Cookies\galopsop@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
Do that ewido scan in Safe mode again
Launch ewido:
* Click on scanner
* Click on Complete System Scan and the scan will begin.
* You will be prompted to clean the first infection.
* Select "Perform action on all infections", then proceed.
Send a ewido report and a fresh hijack log
|
|
dayglow2
Newbie
|
23. June 2006 @ 16:41 |
Link to this message
|
Heya Tpiiri!
I cleanned my system with ewido and the problem seemed to go away. I'm just worried that some of my system files might have been deleted to. I hope everything is ok.......
.........anyway Thanks again.........
.........Here is the Ewido Report I got after I cleanned......
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:27:56 PM 2006/06/22
+ Scan result:
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047012.dll -> Adware.WinAD : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047013.exe -> Adware.WinAD : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047014.exe -> Adware.WinAD : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047015.exe -> Adware.WinAD : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047016.exe -> Adware.WinAD : Cleaned.
C:\!KillBox\ishost.exe -> Downloader.Zlob.qd : Cleaned.
C:\!KillBox\ismon.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP259\A0043749.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP260\A0044748.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045482.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045523.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045608.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045633.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045648.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045650.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045716.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045764.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045785.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045823.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045831.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0046832.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0046833.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047010.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047101.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047212.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048211.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048250.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048262.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048285.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048299.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048305.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048586.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048620.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048636.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048645.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048662.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049664.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049672.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049709.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049716.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049723.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049737.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049746.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049754.exe -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP264\A0049801.EXE -> Downloader.Zlob.qd : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP264\A0049803.EXE -> Downloader.Zlob.qd : Cleaned.
C:\!KillBox\issearch.exe -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP259\A0043748.dll -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP260\A0044749.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045483.dll -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045524.dll -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045609.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045632.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP261\A0045647.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045651.dll -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045715.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045765.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045786.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045822.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0045830.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0046831.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047009.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047100.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0047211.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048212.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048249.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048263.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048286.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048298.dll -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP262\A0048306.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048585.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048619.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048635.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048653.dll -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0048671.dll -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049662.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049671.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049707.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049715.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049724.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049730.dll -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049745.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP263\A0049753.DLL -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP264\A0049802.EXE -> Downloader.Zlob.uf : Cleaned.
C:\System Volume Information\_restore{EC1E2808-B3C9-4A5A-B632-7F08103FF69B}\RP264\A0049809.DLL -> Downloader.Zlob.uf : Cleaned.
C:\WINDOWS\SYSTEM32\components\flx5.dll -> Not-A-Virus.Hoax.Win32.Renos.cv : Cleaned.
C:\Documents and Settings\galopsop\Cookies\galopsop@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
::Report end
................. Here is a fresh hijack report...........
Logfile of HijackThis v1.99.1
Scan saved at 02:41:09 AM, on 2006/06/24
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Mam2Pan.Exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\galopsop\Desktop\VIRUS\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mam2Pan] Mam2Pan.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE254B04-534C-47EA-A2DF-7933E7DC1085}: NameServer = 168.210.2.2 196.14.239.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
..............peace...........!
|
Senior Member
|
24. June 2006 @ 03:38 |
Link to this message
|
|
Yes it looks good,
However, ewido cleans system restore points. So the lurks are gone before ...
|
|
dayglow2
Newbie
|
25. June 2006 @ 23:07 |
Link to this message
|
|
Cool, thank you so much Tapiiri!!
Cool, so does everything look ok now, is the virus gone?
|
Senior Member
|
26. June 2006 @ 05:25 |
Link to this message
|
|
Yes virus is gone
Happy surfing
|
|
dayglow2
Newbie
|
26. June 2006 @ 15:05 |
Link to this message
|
|
Cool, you kick ass Tapiiri! I have already added this site to my favorites. You guys saved me a bit of cash to!
<:-> :) Peace !
|
|
Hamshadow
Newbie
|
26. June 2006 @ 15:45 |
Link to this message
|
|
Hello, I was wondering if I should start a new thread or if I should ask for help in this topic as well? I'm having the same problem as what was posted in here. Thank you.
|
|
dayglow2
Newbie
|
26. June 2006 @ 20:35 |
Link to this message
|
|
just start a new thread and someone will help you.............
|
|
Hamshadow
Newbie
|
27. June 2006 @ 08:21 |
Link to this message
|
|
All right, thanks.
|
|
Andre28
Newbie
|
28. June 2006 @ 18:15 |
Link to this message
|
Hi tapiiri,
I've been following your advice to dayglow2, since I've got a similar problem.
Maybe you can help me out.
Here is a log of Smitfraudfix:
SmitFraudFix v2.65
Scan done at 12:14:00.14, Thu 29/06/2006
Run from C:\Documents and Settings\christopher worsfold\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\christopher worsfold\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHRIST~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
And here is a log of Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 12:11:16 PM, on 29/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Shortcut to Ad-Watch.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I would really appreciate your advice.
Thanks.
|
Senior Member
|
29. June 2006 @ 05:29 |
Link to this message
|
|
Hi Andre28
There is no traces off smithfraud.
Scan hijack and check:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
Close all programs and click fix checked.
Boot comp and send a fresh hijack log
|
|
Andre28
Newbie
|
29. June 2006 @ 11:04 |
Link to this message
|
Hi tapiiri, thanks for your reply.
I had troubles after visiting a site that offered free serials. Seems they dumped a lot of malware on my pc, then tried to get me to buy their removal software. Some of the malware is still lodged on the pc. For instance, adaware keeps finding two cases of 'Virtumonde'; yet though I remove them each time, they are always there next time round.
I have scanned with adaware, Spybot, norton and ewido. Altogether they removed hundreds of bits of malware (ewido detected by far the most).
After following your advice to dayglow2 I was able to stop my browser from being redirected to the culprit's site.
Here is the new hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 7:41:21 AM, on 30/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\christopher worsfold\Desktop\hijackthis\HijackThis.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Shortcut to Ad-Watch.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
|
Senior Member
|
29. June 2006 @ 11:35 |
Link to this message
|
Hi Andre28
Vundo or virtualmundo don't exist in hijack log.
Please download here -> http://www.atribune.org/ccount/click.php?id=4 VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on and post a fresh HjT-log along with
contents of C:\vundofix.txt
|
|
Andre28
Newbie
|
30. June 2006 @ 15:36 |
Link to this message
|
Hi tapiiri,
Thank you so much for you help.
Here is the new HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:32:52 AM, on 1/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\christopher worsfold\Desktop\hijackthis\HijackThis.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program
Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel
PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue
CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program
Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Shortcut to Ad-Watch.lnk = C:\Program Files\Lavasoft\Ad-Aware SE
Personal\Ad-Watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program
files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program
Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program
Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program
Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program
Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program
Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program
Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe
Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe
Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe
Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version
Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common
Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter
Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network
Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program
Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program
Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation -
C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program
Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus firewall Monitor Service (NPFMntor) - Symantec Corporation -
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Here is the VundoFix log:
VundoFix V4.2.84
Running as SYSTEM
from c:\windows\system32\VundoFix.exe
Checking Java version...
Java version is 1.4.2.3
Scan started at 9:28:10 AM 1/07/2006
Listing files found while scanning....
C:\WINDOWS\system32\xxyvuvt.dll
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\ddcyx.dll
Attempting to delete C:\WINDOWS\system32\xxyvuvt.dll
C:\WINDOWS\system32\xxyvuvt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\ddcyx.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Seems like there's some files that wont budge.. :s
|
Senior Member
|
30. June 2006 @ 23:08 |
Link to this message
|
Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop.
Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.
Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)
C:\WINDOWS\system32\xxyvuvt.dll
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\ddcyx.dll
Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.
(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)
After reboot scan with vundofix again
Then Rename HijackThis for examble fixer.exe
Scan that fixer (hijack) and send a fresh log and vundofix raport
|
|
Andre28
Newbie
|
1. July 2006 @ 01:36 |
Link to this message
|
Hi tapiiri,
I followed your instructions, yet when I pressed the delete key on Killbox it said: 'Verifying Registry Entries, Plz wait Click here to abort shutdown...' Then it came with a message saying: 'PendingFileRenameOperations Registry Data has been Removed by External Process!'
At any rate here is the log 'Fixer' (HijackThis):
Logfile of HijackThis v1.99.1
Scan saved at 7:31:50 PM, on 1/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\christopher worsfold\Desktop\hijackthis\fixer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24C98996-D83A-46DB-BBCF-4AF23969B050} - C:\WINDOWS\system32\ddcyx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Shortcut to Ad-Watch.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
VundoFix V4.2.84
Running as SYSTEM
from c:\windows\system32\VundoFix.exe
Checking Java version...
Java version is 1.4.2.3
Scan started at 7:26:24 PM 1/07/2006
Listing files found while scanning....
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\ddcyx.dll
Attempting to delete C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\ddcyx.dll Could not be deleted.
Performing Repairs to the registry.
Done!
|
Senior Member
|
1. July 2006 @ 06:12 |
Link to this message
|
Yes, you did do right, There is hidden vundo.
Lets try this one, updated vundofix
Please download vundofix to desktop:
http://www.atribune.org/ccount/click.php?id=4
* Doubleclikc VundoFix.exe to run it.
* mark "Run VundoFix as a task".
* Appears message "Vundofix will close and re-open in a minute or less". Click OK.
* When Vundofix reopens, Click Scan for Vundo.
* Wait until scan is ready , right-Click in inside window (White screen where is listed files founded) And choise "Add more files"
* Copy and paste follow 2 lines to two upper screen
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\xycdd.*
* Click "Add Files" and then Click "Close Window".
* Click "Remove Vundo" .
* Appears a message which is asked do you want delete selected files , Click YES.
* After that, Desktop will be empty and deleting of Vundois happening .
* When it is finish , Appears message which asks to Reboot computer Click OK.
* Reboot your comp.
* Send C:\vundofix.txt and a fresh fixer.exe.exe (HijackThis) log.
|
|
Andre28
Newbie
|
1. July 2006 @ 13:05 |
Link to this message
|
Hi tapiiri,
seems it wouldn't allow me to paste C:\WINDOWS\system32\xycdd into Vundofix for some reason.
As I was about to come back to this site to post this reply to you I got two now familiar pop-up web pages: http://www.winantiviruspro.com/pages/newcontent/?aid=nm_go_wavna_... and http://scanner.sysprotect.com/pages/scanner/?p=21&ex=1&ax=2&aid=n...
Do they honestly think Im going to buy their software after what they've done?!
At any rate here is the log for Vundfix:
Attempting to delete C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\ddcyx.dll Could not be deleted.
Performing Repairs to the registry.
Done!
And new fixer.exe.exe (HijackThis) log:
Logfile of HijackThis v1.99.1
Scan saved at 6:58:01 AM, on 2/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\christopher worsfold\Desktop\hijackthis\fixer.exe.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {641A58B3-A6EC-4599-AF24-816D7C371DDC} - C:\WINDOWS\system32\ddcyx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Shortcut to Ad-Watch.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I really appreciate your help tapiiri. This malware is damn stubborn!
|
|
Advertisement
|
|
|
Senior Member
|
1. July 2006 @ 23:05 |
Link to this message
|
Ok we'll have to use a stronger tool....
1. Download Avenger -> http://swandog46.geekstogo.com/avenger.zip and unzip it to desktop
2. Copy all text in quote box below to Notepad (starting from
Files to delete:)
Files to delete:
C:\WINDOWS\system32\xxyvuvt.dll
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.tmp
C:\WINDOWS\system32\xycdd.tmp1
C:\WINDOWS\system32\xycdd.tmp2
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\ddcyx.ini
C:\WINDOWS\system32\ddcyx.bak
Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system
3. Now, open The Avenger
->"Below Script file to execute" select "Input Script Manually".
->Now click magnifying glass which opens a new window "View/edit script".
-> Paste the text you earlier copied to Notepad here
-> Click Done.
-> Now click green light in order to start script.
-> Click "Yes" .
4.Avenger will do the following
-> Reboot your computer.
-> While booting, it will open a dos prompt, it's normal
-> After reboot it will create a logfile which should open . This log is in C:\avenger.txt
-> Avenger has created a backup here -> C:\avenger\backup.zip.
5. Copy/paste contents of avenger.txt along with a fresh HjT-log.
|
|
