|
|
|
trojan.popper
|
|
|
fincab
Account closed as per user's own request
|
30. June 2006 @ 08:41 |
Link to this message
|
|
Hi everyone:
My PC is infected with trojan.popper I have Spyware Doctor, Spy Sweeper, and Norton Internet Security. None of them can eliminate it. They find it, say it's been deleted, but it always reappears. I call Norton; they charged me $40 to direct me to a FREE page of instruction thqat I had already tried. When I complained they just hung up!!! Can ANYBODY help?!?!? Trojan.popper is interferring with a lot of programs.
Thank you, thank you, thank you.
|
|
Advertisement
|
|
|
|
Senior Member
|
30. June 2006 @ 08:48 |
Link to this message
|
|
|
fincab
Account closed as per user's own request
|
30. June 2006 @ 09:38 |
Link to this message
|
Hi:
Thanks for the quick response. Here is the file:
Logfile of HijackThis v1.99.1
Scan saved at 10:35:32 AM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe
G:\PC BackUp\NMSAccess.exe
G:\PC BackUp\NSENGINE.exe
g:\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\iTunes\iTunesHelper.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\WINDOWS\Mixer.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\QuickTime\qttask.exe
G:\PC BackUp\NbkCtrl.exe
E:\Program Files\Messenger\msmsgs.exe
G:\SPYWAR~1\swdoctor.exe
E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\H. Finn MD.HSF.004\Local Settings\Temporary Internet Files\Content.IE5\UND3Z2UZ\HijackThis_v1.99.1[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - G:\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - G:\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVD43] F:\DVDREG~2\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "G:\PC BackUp\NbkCtrl.exe"
O4 - HKCU\..\Run: [NBJ] "F:\Nero\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] G:\SPYWAR~1\swdoctor.exe /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - E:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - G:\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - G:\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NMSAccess - Unknown owner - G:\PC BackUp\NMSAccess.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NsEngine - Unknown owner - G:\PC BackUp\NSENGINE.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - g:\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
|
Senior Member
|
30. June 2006 @ 10:09 |
Link to this message
|
Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Unzip it (folder named SmitFraudFix) to your desktop:
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Download eScan to your desktop -> http://www.spywareinfo.dk/download/mwav.exe
Run the file mwav.exe and unzip it to its default location, C:\Kaspersky
1. Updating the scanner (close the eScan window if open)
-> Go to My Computer
-> C:\
-> Kaspersky
-> Run the file kavupd.exe, it starts downloading updates
-> When downloading is finished, go to C:\Downloads
-> Copy all the files in the Downloads folder by pressing CTRL+A and then CTRL+C
-> Then go back to the C:\Kaspersky folder and paste the files by pressing CTRL+V
-> Answer Yes to all when it asks about replacing files
-> Now the scanner has been updated
2. Scanner settings
-> Go to folder C:\Kaspersky and run the file mwavscan.com (or mwavscan.exe)
-> The scanner window opens
-> Select the same settings than in this picture -> http://koti.mbnet.fi/pattaya1/eScan6.jpg
-> When ready, press the Scan Clean button
-> Scanning for infections begins
3. Posting the results
-> When the scan has finished (scan may take a quite long time), you'll need to post the findings
-> Copy all the text in this field -> http://koti.mbnet.fi/pattaya1/eScan10.jpg
-> Click the field, press CTRL+A, CTRL+C
-> Then open Notepad and paste the findings into a new document by pressing CTRL+V
-> Save the document to your desktop
-> Post the contents of that textfile to here
Boot comp
Send asked logs
|
|
fincab
Account closed as per user's own request
|
30. June 2006 @ 19:32 |
Link to this message
|
|
tapiiri:
Here are the files you asked for.
And again, Thanks so much for your help!
SmitFraudFix v2.65
Scan done at 20:28:51.60, Fri 06/30/2006
Run from F:\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» E:\
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\H. Finn MD.HSF.004\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\HFINNM~1.004\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
=====================================================================
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\064F7AAF.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\0A4E076D.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\103A42A1.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\138D18B0.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\21FD5F29.WIN infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\22000926.exe infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\3015226E.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\38CD5642.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\4DEA5CBC.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\5210342F.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\57BD2FEF.exe infected by "Trojan.Win32.Dialer.oy" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\66561FF3.WIN infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\665949EF.exe infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\68460DD1.WIN infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\684D61C9.exe infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken.
File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\78EB7503.exe infected by "Trojan-Downloader.Win32.Zlob.rj" Virus! Action Taken: No Action Taken.
File E:\System Volume Information\_restore{7F87E836-B1CD-4D96-BB59-153291F12E71}\RP58\A0007847.exe infected by "Trojan-Clicker.Win32.VB.ij" Virus! Action Taken: No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005779.dll tagged as "not-a-virus:AdWare.Win32.Suggestor.o". Action Taken: No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005780.exe infected by "Trojan-Downloader.Win32.Small.buy" Virus! Action Taken: No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005781.exe infected by "Trojan-Downloader.Win32.Small.bke" Virus! Action Taken: No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005782.dll tagged as "not-a-virus:AdWare.Win32.Suggestor.o". Action Taken: No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005784.dll infected by "Backdoor.Win32.Agent.oo" Virus! Action Taken: No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005785.dll tagged as "not-a-virus:AdWare.Win32.Suggestor.o". Action Taken: No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005786.exe infected by "Trojan-Downloader.Win32.Small.ayl" Virus! Action Taken: No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005787.exe tagged as "not-a-virus:AdWare.Win32.Raze.a". Action Taken: No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005788.exe infected by "Trojan-Downloader.Win32.Agent.sy" Virus! Action Taken: No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP78\A0006962.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP79\A0007514.exe tagged as not-a-virus:Downloader.Win32.Agent.h. No Action Taken.
..............................................................................................................................................................................................................................
Total Critical Objects: 30
Total Errors: 67
|
Senior Member
|
30. June 2006 @ 22:48 |
Link to this message
|
Clean your system restore :
http://www.pchell.com/virus/systemrestore.shtml
Only those we have to examine closer.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Locate and remove EZULA
* Reboot your computer in Safe Mode
http://www.pchell.com/support/safemode.shtml
* Double-click smitfraudfix.cmd
* Select 2 and hit Enter to delete infect files.
* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Send it here along with a fresh HjT log.
|
|
fincab
Account closed as per user's own request
|
30. June 2006 @ 23:36 |
Link to this message
|
Here are the other logs:
Logfile of HijackThis v1.99.1
Scan saved at 12:31:54 AM, on 7/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe
G:\PC BackUp\NMSAccess.exe
G:\PC BackUp\NSENGINE.exe
g:\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\iTunes\iTunesHelper.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\WINDOWS\Mixer.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\QuickTime\qttask.exe
G:\PC BackUp\NbkCtrl.exe
E:\Program Files\Messenger\msmsgs.exe
G:\SPYWAR~1\swdoctor.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
E:\Program Files\Symantec\LiveUpdate\AUpdate.exe
E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
E:\Documents and Settings\H. Finn MD.HSF.004\Local Settings\Temporary Internet Files\Content.IE5\UND3Z2UZ\HijackThis_v1.99.1[1].exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - G:\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - G:\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVD43] F:\DVDREG~2\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "G:\PC BackUp\NbkCtrl.exe"
O4 - HKCU\..\Run: [NBJ] "F:\Nero\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] G:\SPYWAR~1\swdoctor.exe /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - E:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - G:\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - G:\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NMSAccess - Unknown owner - G:\PC BackUp\NMSAccess.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NsEngine - Unknown owner - G:\PC BackUp\NSENGINE.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - g:\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
====================================================================
SmitFraudFix v2.65
Scan done at 20:28:51.60, Fri 06/30/2006
Run from F:\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode ***[It says "normal mode", but it was in Safe Mode.]***
»»»»»»»»»»»»»»»»»»»»»»»» E:\
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\H. Finn MD.HSF.004\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\HFINNM~1.004\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
====================================================================
So, am I cured?
|
Senior Member
|
30. June 2006 @ 23:38 |
Link to this message
|
|
Yes looks good :)
|
|
fincab
Account closed as per user's own request
|
1. July 2006 @ 09:41 |
Link to this message
|
|
Unfortuneately, the virus was not removed. When running a backup, I again got the following alert message from Norton Anitvirus. It is the same one I always get:
Virus Location: \device\HarddiskVolumeShadowCopy3\System Volume Information\_restore{7F87E836-B1CD-4D96-BB59-153291F12E71}\RP58\A0007847.EXE
Virus: Trojan.Popper
Action Taken: Unable to repair this file.
Action Taken: Access to the file was denied.
===============================================================
Below are the removal instructions from Symantec. However, the is no "Windows Overlay Components" in services.msc and none of the registry key listed can be found by me or the registry FIND command.
3. To find and stop the service
Click Start > Run.
Type services.msc, and then click OK.
Locate and select the service "Windows Overlay Components".
Click Action > Properties.
Click Stop.
Change Startup Type to Manual.
Click OK and close the Services window.
4. To scan for and delete the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
Run a full system scan.
If any files are detected, click Delete.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode and proceed with the next section.
Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:
Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
5. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete any values that refer to the filenames noted in Step 4(c) above. The value will be of the form:
"random" = "%Windir%\[RANDOM].exe"
Navigate to and delete the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\OvMon
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Overlay Components
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Overlay Components
Exit the Registry Editor.
=================================================================
This is SO frustrating!!! Any other ideas?
Thanks
|
Senior Member
|
2. July 2006 @ 00:02 |
Link to this message
|
Hi fincab,
Update escan, and norton.
Turn off your system restore :
http://www.pchell.com/virus/systemrestore.shtml
* Reboot your computer in Safe Mode
http://www.pchell.com/support/safemode.shtml
Scan with both, escan All hard drives
and norton :
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
Run a full system scan.
If any files are detected, click Delete.
Boot normally. Let me know if appears error messages after rebooting.
Then I'll make fix script to registry
|
|
Advertisement
|
|
|
|
fincab
Account closed as per user's own request
|
2. July 2006 @ 11:07 |
Link to this message
|
|
Hi:
The same error message appeared.
Sorry
|
|
