Tech Support Forum - View Single Post - Fatal Errors Using Virus Scanning (Norton Systemworks)

MoralTerror · 04-24-2006, 07:30 AM

Hi Paul

Please print or copy this page to Notepad in order to assist you while carrying out the following instructions

Please disable Ewido Security Suite's Guard by doing the following:

Open ewido by double-clicking the yellow 'e' icon in the system tray.
In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [Windows Workstation Service] wkssvc.exe
O4 - HKCU\..\RunServices: [Windows Workstation Service] wkssvc.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

Please remember to close all other windows, including browsers then click Fix checked.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Click Start > Run and type regsvr32 /u occache.dll and press enter.

Delete the following Files indicated in RED if they still exist.

C:\Documents and Settings\Paul\Favorites\~ VIP Free Porn ~.url
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
C:\WINDOWS\alchem.ini
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf

If any of the following Files are present the please delete those also

C:\WINDOWS\system32\Programs\2 Find MP3 8.2.0.exe
C:\WINDOWS\system32\Programs\Fifa 2006 crack.exe
C:\WINDOWS\system32\Programs\Hotmail account hacker in 30 minutes.exe
C:\WINDOWS\system32\Programs\Hotmail hacker.exe
C:\WINDOWS\system32\Programs\Hotmailhacker v1.0.exe
C:\WINDOWS\system32\Programs\Microsoft Office 2000 Regmaker.exe
C:\WINDOWS\system32\Programs\Microsoft Office 2003 Professional Universal Crack without serial.exe
C:\WINDOWS\system32\Programs\Microsoft Office XP Activation Crack.exe
C:\WINDOWS\system32\Programs\Microsoft Office XP Activation Killer.exe
C:\WINDOWS\system32\Programs\Microsoft Office XP Professional Crack.exe
C:\WINDOWS\system32\Programs\Microsoft Office XP Professional Serial.exe
C:\WINDOWS\system32\Programs\Microsoft Office XP Universal Activator v1.0.exe
C:\WINDOWS\system32\Programs\Midnight Club 3 - DUB Edition Rockstar Games crack.exe
C:\WINDOWS\system32\Programs\Norton AntiVirus 2005 crack.exe
C:\WINDOWS\system32\Programs\Norton AntiVirus 2006 crack.exe
C:\WINDOWS\system32\Programs\Norton antivirus crack.exe
C:\WINDOWS\system32\Programs\Yahoo_mail_cracker.exe
C:\WINDOWS\system32\Programs\Yoshinoya Success crack.exe
C:\WINDOWS\system32\Programs\ZoneAlarm crack (keygen).exe
C:\WINDOWS\system32\Programs\hotmail_account_sniffer.exe
C:\WINDOWS\system32\Programs\norton anti virus FULL NEWEST VERSION.exe
C:\WINDOWS\system32\Programs\porn.exe
C:\WINDOWS\system32\Programs\porn_account_cracker.exe
C:\WINDOWS\system32\Programs\porn_account_hacker.exe
C:\WINDOWS\system32\Programs\pornmovie (hardcore sex adult asian).exe
C:\WINDOWS\system32\Programs\yahoo_cracker.exe
C:\WINDOWS\system32\Programs\yahoo_hacker.exe
C:\WINDOWS\system32\wkssvc.exe

Empty the contents of the following Folder(DO NOT delete the Folder)

C:\Documents and Settings\Paul\Cookies

Click Start > Run and type regsvr32 occache.dll and press enter.

Boot to Normal Mode

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended Scan
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Required Logs

Kaspersky results
new HijackThis log

04-24-2006, 07:30 AM	#12 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Hi Paul Please print or copy this page to Notepad in order to assist you while carrying out the following instructions Please disable Ewido Security Suite's Guard by doing the following: Open ewido by double-clicking the yellow 'e' icon in the system tray. In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'. When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup. Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKCU\..\Run: [Windows Workstation Service] wkssvc.exe O4 - HKCU\..\RunServices: [Windows Workstation Service] wkssvc.exe O15 - Trusted Zone: http://Download.Windowsupdate.com O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - Please remember to close all other windows, including browsers then click Fix checked. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Click Start > Run and type regsvr32 /u occache.dll and press enter. Delete the following Files indicated in RED if they still exist. C:\Documents and Settings\Paul\Favorites\~ VIP Free Porn ~.url C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll C:\WINDOWS\alchem.ini C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf If any of the following Files are present the please delete those also C:\WINDOWS\system32\Programs\2 Find MP3 8.2.0.exe C:\WINDOWS\system32\Programs\Fifa 2006 crack.exe C:\WINDOWS\system32\Programs\Hotmail account hacker in 30 minutes.exe C:\WINDOWS\system32\Programs\Hotmail hacker.exe C:\WINDOWS\system32\Programs\Hotmailhacker v1.0.exe C:\WINDOWS\system32\Programs\Microsoft Office 2000 Regmaker.exe C:\WINDOWS\system32\Programs\Microsoft Office 2003 Professional Universal Crack without serial.exe C:\WINDOWS\system32\Programs\Microsoft Office XP Activation Crack.exe C:\WINDOWS\system32\Programs\Microsoft Office XP Activation Killer.exe C:\WINDOWS\system32\Programs\Microsoft Office XP Professional Crack.exe C:\WINDOWS\system32\Programs\Microsoft Office XP Professional Serial.exe C:\WINDOWS\system32\Programs\Microsoft Office XP Universal Activator v1.0.exe C:\WINDOWS\system32\Programs\Midnight Club 3 - DUB Edition Rockstar Games crack.exe C:\WINDOWS\system32\Programs\Norton AntiVirus 2005 crack.exe C:\WINDOWS\system32\Programs\Norton AntiVirus 2006 crack.exe C:\WINDOWS\system32\Programs\Norton antivirus crack.exe C:\WINDOWS\system32\Programs\Yahoo_mail_cracker.exe C:\WINDOWS\system32\Programs\Yoshinoya Success crack.exe C:\WINDOWS\system32\Programs\ZoneAlarm crack (keygen).exe C:\WINDOWS\system32\Programs\hotmail_account_sniffer.exe C:\WINDOWS\system32\Programs\norton anti virus FULL NEWEST VERSION.exe C:\WINDOWS\system32\Programs\porn.exe C:\WINDOWS\system32\Programs\porn_account_cracker.exe C:\WINDOWS\system32\Programs\porn_account_hacker.exe C:\WINDOWS\system32\Programs\pornmovie (hardcore sex adult asian).exe C:\WINDOWS\system32\Programs\yahoo_cracker.exe C:\WINDOWS\system32\Programs\yahoo_hacker.exe C:\WINDOWS\system32\wkssvc.exe Empty the contents of the following Folder(DO NOT delete the Folder) C:\Documents and Settings\Paul\Cookies Click Start > Run and type regsvr32 occache.dll and press enter. Boot to Normal Mode Perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Required Logs Kaspersky results new HijackThis log