Jump to content
Sign in to follow this  
93sc

Last Stop before reinstall

Recommended Posts

I have been fighting with this for about a day now. I have run Avast mutiple times inand out of safe mode, spybot, and norton and I can't get rid of whatever it is thats on this machine. The closest I have come to figuring things out is trojano-2873, but it keeps comming back. If anyone can give me something else to try before we reinstall that would be great.

 

Thanks

 

 

Logfile of HijackThis v1.99.1

Scan saved at 1:32:25 PM, on 4/6/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Ixia\Endpoint\endpoint.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\win3207947423132.exe

C:\WINDOWS\CheckS02.exe

C:\windows\mousepad9.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sathre-Bergquist, Inc.

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yxhxh.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,jsnbryn.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsvF1.dll

O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmftjs.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [win3207947423132] C:\WINDOWS\win3207947423132.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe

O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe

O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe

O4 - HKLM\..\Run: [w0b6a022.dll] RUNDLL32.EXE w0b6a022.dll,I2 0002616d00b6a022

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe

O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O15 - Trusted Zone: http://click.getmirar.com (HKLM)

O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sathre.com

O17 - HKLM\Software\..\Telephony: DomainName = sathre.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sathre.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sathre.com

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\kcdlt1.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Ixia Performance Endpoint (IxiaEndpoint) - Ixia - C:\Program Files\Ixia\Endpoint\endpoint.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

Hi 93sc and welcome to the PC Pitstop Forums .

 

My name is Trevuren and I will be helping you with your log.

 

 

You have a few more things going on here than I think you are aware of.

 

 

A. I notice that you are using more than one antivirus program. This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you either (1) configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or (2) go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one antivirus program

 

B. 1. Please download Ewido Anti-Malware

  • Install ewido anti-malware
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

     

    You will need to update ewido to the latest definition files.

    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.

    (the status bar at the bottom will display ("Update successful")

  • Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.

ewido manual updates

 

2. Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.

Save it in the same folder you made earlier (c:\BFU).

 

Do not do anything with these yet!

 

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

4. Once in Safe Mode, Open Ewido:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

 

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

 

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

The only reason I had 2 AV programs running was that Norton wasn't doing anything and I was trying to fix this current infection.

 

I have mutipule Ewido Logs becuase I could not run a full scan without the program crashing. I had to run the memory scan, let it clean itslef out, then the registry scan and so on till I could run the full scan. I will be including everything I have for eth sake of completness.

 

Thanks again for your help.

 

HJT:

 

Logfile of HijackThis v1.99.1

Scan saved at 4:03:36 PM, on 4/6/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Ixia\Endpoint\endpoint.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sathre-Bergquist, Inc.

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,jsnbryn.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsvF1.dll

O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmftjs.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [w0b6a022.dll] RUNDLL32.EXE w0b6a022.dll,I2 0002616d00b6a022

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe

O4 - HKLM\..\Run: [igtkhr] C:\WINDOWS\system32\iopsht.exe reg_run

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ecbmi] C:\WINDOWS\system32\iopsht.exe reg_run

O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe

O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O15 - Trusted Zone: http://click.getmirar.com (HKLM)

O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sathre.com

O17 - HKLM\Software\..\Telephony: DomainName = sathre.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sathre.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sathre.com

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\kcdlt1.dll (file missing)

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Ixia Performance Endpoint (IxiaEndpoint) - Ixia - C:\Program Files\Ixia\Endpoint\endpoint.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

 

Ewido memory:

 

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 2:39:15 PM, 4/6/2006

+ Report-Checksum: BE699C80

 

+ Scan result:

 

[868] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Cleaned with backup

[1208] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Error during cleaning

 

 

::Report End

 

Ewido fast:

 

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 3:00:53 PM, 4/6/2006

+ Report-Checksum: 788D4FBD

 

+ Scan result:

 

[868] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Error during cleaning

[880] C:\WINDOWS\system32\yxhxh.exe -> Downloader.Qoologic.bj : Cleaned with backup

[920] C:\WINDOWS\system32\yxhxh.exe -> Downloader.Qoologic.bj : Error during cleaning

[928] C:\WINDOWS\system32\yxhxh.exe -> Downloader.Qoologic.bj : Error during cleaning

[952] C:\WINDOWS\system32\iopsht.exe -> Downloader.Qoologic.bj : Cleaned with backup

[1208] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Error during cleaning

C:\WINDOWS\CheckS02.exe -> Trojan.VB.tg : Cleaned with backup

C:\WINDOWS\country.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup

C:\WINDOWS\hosts -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup

C:\WINDOWS\keyboard8.exe -> Downloader.VB.aaa : Cleaned with backup

C:\WINDOWS\kl1.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup

C:\WINDOWS\mousepad8.exe -> Trojan.VB.ali : Cleaned with backup

C:\WINDOWS\optimize.exe -> Downloader.Dyfuca.ex : Cleaned with backup

C:\WINDOWS\secure32.html -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup

C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup

C:\WINDOWS\system32\iopsht.exe -> Downloader.Qoologic.bj : Cleaned with backup

C:\WINDOWS\system32\jsnbryn.exe -> Downloader.Qoologic.bj : Cleaned with backup

C:\WINDOWS\system32\olfwt.dat -> Downloader.Qoologic.bj : Cleaned with backup

C:\WINDOWS\system32\q.exe -> Dropper.Agent.hl : Cleaned with backup

C:\WINDOWS\system32\q3.exe -> Dropper.Agent.hl : Cleaned with backup

C:\WINDOWS\system32\q5.exe -> Dropper.Agent.hl : Cleaned with backup

C:\WINDOWS\system32\qndsregp.exe -> Adware.ZenoSearch : Cleaned with backup

C:\WINDOWS\system32\w0b6a022.dll -> Downloader.Agent.ahv : Cleaned with backup

C:\WINDOWS\system32\yxhxh.exe -> Downloader.Qoologic.bj : Cleaned with backup

C:\WINDOWS\system32\z1.exe -> Dropper.Agent.hl : Cleaned with backup

C:\WINDOWS\system32\z3.exe -> Dropper.Agent.hl : Cleaned with backup

C:\WINDOWS\system32\__delete_on_reboot__ovptycy.dll -> Downloader.Qoologic.bj : Cleaned with backup

C:\WINDOWS\toolbar.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup

C:\WINDOWS\uniq -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup

C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup

C:\Documents and Settings\Administrator\Cookies\administ[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup

C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup

C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

 

 

::Report End

 

Ewido registry:

 

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 2:38:38 PM, 4/6/2006

+ Report-Checksum: BA702D86

 

+ Scan result:

 

HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup

 

 

::Report End

 

Ewido Full:

 

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 3:58:02 PM, 4/6/2006

+ Report-Checksum: B398158C

 

+ Scan result:

 

[868] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Cleaned with backup

[1208] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Cleaned with backup

[1036] C:\WINDOWS\system32\iopsht.exe -> Downloader.Qoologic.bj : Error during cleaning

C:\Documents and Settings\Administrator.SATHRE\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned with backup

C:\Documents and Settings\Administrator.SATHRE\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][2].txt -> TrackingCookie.Trafficmp : Cleaned with backup

C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Adrevolver : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Centrport : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup

C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\159715C5-AB90-4A9F-B495-7D5F49\274EB106-FD8C-4AC7-818B-5E7CC9 -> Adware.NewDotNet : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\159715C5-AB90-4A9F-B495-7D5F49\3B10D8E8-256F-4C89-95C5-70E10C -> Adware.NewDotNet : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\159715C5-AB90-4A9F-B495-7D5F49\66A472CD-E111-4A05-98D5-C86464 -> Adware.NewDotNet : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\159715C5-AB90-4A9F-B495-7D5F49\79FDDB4E-4EFF-49FF-9E8A-3ED5A2 -> Adware.NewDotNet : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\159715C5-AB90-4A9F-B495-7D5F49\A0AAB791-E86A-402C-846B-725E4A -> Adware.NewDotNet : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\DE9FF0D8-9FC5-40ED-BA30-461DA2\5A387052-66FE-482E-A0C7-DE70E1 -> Adware.WebHancer : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\DE9FF0D8-9FC5-40ED-BA30-461DA2\6F3945EA-3549-4AD9-9B0A-8EB138 -> Adware.WebHancer : Cleaned with backup

C:\WINDOWS\system32\__delete_on_reboot__iopsht.exe -> Downloader.Qoologic.bj : Cleaned with backup

C:\WINDOWS\system32\__delete_on_reboot__ovptycy.dll -> Downloader.Qoologic.bj : Cleaned with backup

 

 

::Report End

 

BFU Log:

 

BFU v1.00.9

Windows XP SP2 (WinNT 5.01.2600 SP2)

Script started at 3:59:05 PM, on 4/6/2006

 

Option Unload Explorer: Yes

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)

Failed: ServiceDisable Network Monitor (service not found)

Failed: ServiceDisable Command Service (service not found)

Failed: ServiceDelete Network Monitor (service not found)

Failed: ServiceDelete cmdService (service not found)

Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)

Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)

Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler|{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F} (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found)

Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found)

Option pause between commands: 300 ms

Option pause between commands: 50 ms

Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)

Failed: FolderDelete C:\Program Files\winupdates (folder not found)

Failed: FolderDelete C:\Program Files\winupdate (folder not found)

Failed: FolderDelete C:\Program Files\winsupdater (folder not found)

Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)

Failed: FolderDelete C:\Program Files\MsMovies (folder not found)

Failed: FolderDelete C:\Program Files\wmplayer (folder not found)

Failed: FolderDelete C:\Program Files\outlook (folder not found)

Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)

Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)

Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF982C.tmp (operation failed)

Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFACD4.tmp (operation failed)

Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)

Failed: FolderDelete C:\Program Files\DNS (folder not found)

Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)

Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)

Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)

Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)

Failed: FolderDelete C:\Program Files\Update06 (folder not found)

Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)

Script completed.

Share this post


Link to post
Share on other sites

A. Please run the following program:

  • Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As": DelDomains.inf to your Desktop

    http://www.mvps.org/winhelp2002/DelDomains.inf

     

  • Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.

  • Then please restart your computer, and post a new HijackThis log.

     

    Note: You will have to reimmunize with SpywareBlaster, IE-SPYADS, and/or Spybot after doing this if you were using these features before.

B. Please disable Ewido Security Suite (EwidoGuard)

 

1. Launch Ewido

2. In the main window, click "Realtime protection" (in green indicating "Active") to change to inactive.

 

 

 

C. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.

    . Click the SCAN button to produce a log.

     

  • Place a check mark beside each one of the following items:

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    R3 - Default URLSearchHook is missing

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,jsnbryn.exe

    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsvF1.dll

    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmftjs.dll

    O4 - HKLM\..\Run: [w0b6a022.dll] RUNDLL32.EXE w0b6a022.dll,I2 0002616d00b6a022

    O4 - HKLM\..\Run: [igtkhr] C:\WINDOWS\system32\iopsht.exe reg_run

    O4 - HKCU\..\Run: [ecbmi] C:\WINDOWS\system32\iopsht.exe reg_run

    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe

    O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\kcdlt1.dll (file missing)

     

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

     

  • Reboot Your System in Safe Mode

     

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

     

    C:\WINDOWS\system32\jsnbryn.exe

    C:\WINDOWS\system32\nsvF1.dll

    C:\WINDOWS\system32\irsmftjs.dll

    C:\WINDOWS\system32\w0b6a022.dll

    C:\WINDOWS\system32\iopsht.exe

    C:\WINDOWS\system32\irssyncd.exe

     

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

     

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

That seemed to go well. None of those files that I was supposed to delete were present when I went looking for them while in safe mode.

 

Thanks again for all the help.

 

Logfile of HijackThis v1.99.1

Scan saved at 7:27:27 AM, on 4/7/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Ixia\Endpoint\endpoint.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sathre.com

O17 - HKLM\Software\..\Telephony: DomainName = sathre.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sathre.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sathre.com

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Ixia Performance Endpoint (IxiaEndpoint) - Ixia - C:\Program Files\Ixia\Endpoint\endpoint.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Edited by 93sc

Share this post


Link to post
Share on other sites

Things are looking up!!! :clap:

 

As a precautionary measure, please run the following online scan and post the results along with a fresh HJT log. If everything is OK, we will be able to start our final cleanup procedures:

 

Please do an online scan with Kaspersky Online Virus Scanner

 

Next Click on Free Virus Scanner, then Kaspersky Online Scanner

 

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard

    • Scan Options:
    Scan Archives

    Scan Mail Bases

  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information into your next post.
Regards

 

Trevuren

Share this post


Link to post
Share on other sites

Getting closer it seems.

 

-------------------------------------------------------------------------------

KASPERSKY ON-LINE SCANNER REPORT

Friday, April 07, 2006 15:10:04

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky On-line Scanner version: 5.0.67.0

Kaspersky Anti-Virus database last update: 7/04/2006

Kaspersky Anti-Virus database records: 175530

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: standard

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

H:\

 

Scan Statistics:

Total number of scanned objects: 53283

Number of viruses found: 7

Number of infected objects: 22

Number of suspicious objects: 0

Duration of the scan process: 2774 sec

 

Infected Object Name - Virus Name

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00CC0000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01800000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03840000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07940000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980000.VBN Infected: Trojan-Clicker.Win32.Small.jf

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980001.VBN Infected: Trojan-Clicker.Win32.Small.jf

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980002.VBN Infected: Trojan.Win32.VB.tg

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980003.VBN Infected: Trojan.Win32.VB.tg

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08AC0000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08AC0001.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B040000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B040001.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600000.VBN Infected: Trojan-Downloader.Win32.Small.cpu

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600001.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600002.VBN Infected: Trojan-Downloader.Win32.Small.cpu

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600003.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj

C:\w.exe Infected: Trojan-Downloader.Win32.Agent.aie

C:\WINDOWS\system32\drsmartload482a.exe Infected: Trojan-Downloader.Win32.Adload.af

C:\WINDOWS\system32\Win3.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf

C:\WINDOWS\system32\Win3.exe Infected: Trojan-Clicker.Win32.Small.jf

C:\WINDOWS\YazzleBundle-1119.exe/data0002 Infected: Trojan.Win32.Scapur.k

C:\WINDOWS\YazzleBundle-1119.exe Infected: Trojan.Win32.Scapur.k

 

Scan process completed.

Share this post


Link to post
Share on other sites

A. I have included, for your convenience, a link to a PDF on how to manage your corporate version. This should enable you to clear everything out. http://www.upenn.edu/computing/virus/docs/...61/navce76u.pdf

 

If this is not the correct version, just Google Norton Corporate Antivirus Quarantine.

 

 

B. A. Please download the Killbox by Option^Explicit.

 

Note:In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.

  • Please double-click Killbox.exe to run it.

  • Select
    • "Delete on Reboot
    • Then click the "All Files" button.
  • Please copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C

     

    C:\w.exe

    C:\WINDOWS\system32\drsmartload482a.exe

    C:\WINDOWS\system32\Win3.exe

    C:\WINDOWS\YazzleBundle-1119.exe

     

     

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

 

B. Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browserClick Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

 

C. After all this is done, please tell me if everything appears to be OK so we can finish up.

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

Please post one last HJT log for me to check and if everything is OK, we will commence our final but essential cleanup procedures.

 

 

Trevuren

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 4:41:40 PM, on 4/7/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Ixia\Endpoint\endpoint.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sathre-Bergquist, Inc.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sathre.com

O17 - HKLM\Software\..\Telephony: DomainName = sathre.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sathre.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sathre.com

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Ixia Performance Endpoint (IxiaEndpoint) - Ixia - C:\Program Files\Ixia\Endpoint\endpoint.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

Congratulations, your log shows that your SYSTEM IS CLEAN

 

There are a few things you must do once you are completely clean:

 

1. Re-hide your System Files and Folders to prevent any future accidents.

 

Reconfigure Windows XP to hide hidden files:

  • Click Start. Open My Computer.
  • Select the Tools menu and click Folder Options. Select the View Tab.

  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Click Yes to confirm. Click OK.
2. Please run ATF Cleaner again

 

3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

 

TO DISABLE SYSTEM RESTORE

  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
Reboot your System

 

TO ENABLE SYSTEM RESTORE

  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"
Here are some tips to reduce the potential for spyware infection in the future:

 

Make sure you keep your Windows OS current by visiting Windows update

regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

 

I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice

So how did I get infected in the first place? (My Favorite)

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...