Tech Support Forum - View Single Post

**amason** · 07-12-2005, 12:22 PM

Omerr--

Many thanks for your assistance.

I've followed your instructions--below are logs from Panda Active Scan and HJT.

Andy Mason

****************************************
Active Scan

Incident Status Location

Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\usta33.ini
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\seeve.exe
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar
Virus:Exploit/iFrame Disinfected C:\Eudora\Trash.mbx[~002015.@x@]
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc11.exe
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc12.exe
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc13.exe
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc14.exe
Virus:Trj/Crypt.E Disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc15.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\virus.bmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\hisistheurls.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_pgxkiy.dat
Adware:Adware/WinTools No disinfected C:\WINDOWS\seeve.exe
Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\SYSTEM32\c.bat
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\usta33.ini
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe
Virus:Bck/Lithium.101 Disinfected D:\WINDOWS2\SYSTEM\srv_capture.dll

*********************************************

Logfile of HijackThis v1.99.1
Scan saved at 2:16:23 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
D:\Spyware & Adware\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Navnt\navapw32.exe
D:\Spyware & Adware\SpywareGuard\sgmain.exe
D:\Spyware & Adware\SpywareGuard\sgbhp.exe
D:\Spyware & Adware\security suite\ewidoguard.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Spyware & Adware\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timesunion.com/
F3 - REG:win.ini: load= c:\quickenw\BILLMNDW.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: SpywareGuard.lnk = D:\Spyware & Adware\SpywareGuard\sgmain.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11
O17 - HKLM\System\CS3\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11
O23 - Service: ewido security suite control - ewido networks - D:\Spyware & Adware\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Spyware & Adware\security suite\ewidoguard.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

*******************************************

07-12-2005, 12:22 PM	#4 (permalink)
amason I helped the forums. Join Date: Jul 2004 Posts: 30 OS: Windows XP	Omerr-- Many thanks for your assistance. I've followed your instructions--below are logs from Panda Active Scan and HJT. Andy Mason ************************************** Active Scan Incident Status Location Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\usta33.ini Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe Adware:Adware/WinTools No disinfected C:\WINDOWS\seeve.exe Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar Virus:Exploit/iFrame Disinfected C:\Eudora\Trash.mbx[~002015.@x@] Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc11.exe Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc12.exe Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc13.exe Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc14.exe Virus:Trj/Crypt.E Disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc15.exe Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\casino.bmp Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\dating.bmp Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs.bmp Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\fav.bmp Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\virus.bmp Adware:Adware/WinTools No disinfected C:\WINDOWS\hisistheurls.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_pgxkiy.dat Adware:Adware/WinTools No disinfected C:\WINDOWS\seeve.exe Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\SYSTEM32\c.bat Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\usta33.ini Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe Virus:Bck/Lithium.101 Disinfected D:\WINDOWS2\SYSTEM\srv_capture.dll ***************************************** Logfile of HijackThis v1.99.1 Scan saved at 2:16:23 PM, on 7/12/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe D:\Spyware & Adware\security suite\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe C:\WINDOWS\System32\hkcmd.exe C:\PROGRA~1\Navnt\navapsvc.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\Navnt\npssvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CallWave\IAM.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Navnt\navapw32.exe D:\Spyware & Adware\SpywareGuard\sgmain.exe D:\Spyware & Adware\SpywareGuard\sgbhp.exe D:\Spyware & Adware\security suite\ewidoguard.exe C:\PROGRA~1\Navnt\alertsvc.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Spyware & Adware\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timesunion.com/ F3 - REG:win.ini: load= c:\quickenw\BILLMNDW.EXE O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - Startup: SpywareGuard.lnk = D:\Spyware & Adware\SpywareGuard\sgmain.exe O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11 O17 - HKLM\System\CS3\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11 O23 - Service: ewido security suite control - ewido networks - D:\Spyware & Adware\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - D:\Spyware & Adware\security suite\ewidoguard.exe O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe *****************************************