Hijackthis log - Nasty CWS about:blank hijacker, and more!

wrybri · 07-10-2005, 03:23 AM

I've got a very persistent about:blank hijacker that I can't quite completely remove. Ad-aware identifies it as CoolWebSearch variant and strips away some (but not all) of its files, resulting in IE starting to about:blank but with a blank white page.

I suspect I've got one or two other unrelated spy/malware baddies on-board too. My system is only about a year old, with speedy (you'd think) options like Pentium4 2.6Ghz/800, 1 GB of dual-channel DDR400, and a SATA RAID stack as primary system disk, but windows performance is often sluggish, it takes sometimes a few seconds to do basic basic OS stuff like display 'All Programs' from the Start menu, viewing folder contents with windows explorer etc etc etc.

Suspect activity I've observed:

Popup #1
I often get a popup titled 'Windows Security Center' with text as follows:

WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.

Do you want to learn how to protect your computer?

'Yes' goes to http://www.msnhelper.net/search.php?pin=28129

Popup #2
I also sometimes get another popup titled d3cg32.exe (this changes sometimes I think) with text:

The application or DLL c:\WINDOWS\crrn.dll is not a valid Windows image. Please check this against your installation diskette.

The DLL is different every time. Other DLL's it's named are:

avahe32.exe -or-
atlgt.dll -or-
winvr32.dll -or-
msqo.dll -or-
msje32.dll -or-
mszz32.dll etc etc etc...

Lastly, just yesterday when my machine was being even more sluggish than usual, I fired up task manager and caught one ntgx.exe sucking up about 50% CPU. My daily routine Norton 2005 virus scan later identified this as malware. Delete failed but I was able to later delete the file from safe mode.

Anyways, that's it for my personal observations. Thanks in advance for any and all help offered - I'm a reasonably proficient computer geek but I can't do a thing about these problems and it's making me mental! I'm sure you understand. ;) On to my hijackthis log...

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:21:59 AM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\addke.exe
C:\WINDOWS\system32\javacy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - C:\WINDOWS\mfczv32.dll
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nttd32.exe] C:\WINDOWS\system32\nttd32.exe
O4 - HKLM\..\Run: [ntgx.exe] C:\WINDOWS\system32\ntgx.exe
O4 - HKLM\..\Run: [javacy.exe] C:\WINDOWS\system32\javacy.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05c24f3c...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100597589093
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\addke.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

End of KRC HijackThis Analyzer Log.
====================================================================

**Omerr** · 07-10-2005, 08:25 AM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

**Omerr** · 07-10-2005, 12:15 PM

Hello and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process.

Download AboutBuster and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now.

Download CWSserviceRemove and unzip it to your desktop. It'll create a file called cwsserviceremove.reg. Do NOT run this yet.

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go to Start->Run and type in services.msc and hit OK. Then look for the following service:

Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I)
Double click on it. Click on the Stop button and under Startup type, choose Disabled.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\addke.exe
C:\WINDOWS\system32\javacy.exe

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - C:\WINDOWS\mfczv32.dll
O4 - HKLM\..\Run: [nttd32.exe] C:\WINDOWS\system32\nttd32.exe
O4 - HKLM\..\Run: [ntgx.exe] C:\WINDOWS\system32\ntgx.exe
O4 - HKLM\..\Run: [javacy.exe] C:\WINDOWS\system32\javacy.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\addke.exe

Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file.

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\addke.exe
C:\WINDOWS\system32\javacy.exe
C:\WINDOWS\mfczv32.dll
C:\WINDOWS\uupse.dll
C:\WINDOWS\system32\nttd32.exe
C:\WINDOWS\system32\ntgx.exe

Double-click on the cwsserviceremove.reg file you unzipped to your desktop earlier. When it prompts to merge, click Yes. This will clear some registry entries left behind by the malware infections.

Reboot your system in Normal Mode.

Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log.

Please scan again with HijackThis to get a new log.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Now give us a new HijackThis Analyzer log, together with Panda ActiveScan’s log and AboutBuster’s log, so we can make sure your system is clean.

wrybri · 07-10-2005, 03:39 PM

Thanks for your speedy assistance Omerr! I've taken all the steps you detailed and the about:blank hijacker is definitely gone since I can open IE to my homepage of choice. The Panda scan detected a whole whack of stuff, though a lot of this looks like adware-added IE favourites that have just piled up (I don't use IE any more - Firefox all the way!) over time without me culling them.

Here are the new logs from Hijackthis, Aboutbuster, and Activescan:

HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 3:18:03 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\eMule\emule.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05c24f3c...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100597589093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

AboutBuster
AboutBuster 5.0 reference file 30
Scan started on [7/10/2005] at [12:49:01 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\adduc.dll:akgezb
Removed Stream! C:\WINDOWS\adduc.dll:mhmkk
Removed Stream! C:\WINDOWS\appwi32.dll:jywfl
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:brokf
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:tltwie
Removed Stream! C:\WINDOWS\CTDV10K1.CDF:qoogj
Removed Stream! C:\WINDOWS\CTDVAUDY.CDF:chcsfr
Removed Stream! C:\WINDOWS\d3lb32.dll:ujgzy
Removed Stream! C:\WINDOWS\desktop.ini:dufsm
Removed Stream! C:\WINDOWS\Direct Connect Setup Log.txt:xkjju
Removed Stream! C:\WINDOWS\DirectX.log:talwla
Removed Stream! C:\WINDOWS\DirectX.log:wnpfp
Removed Stream! C:\WINDOWS\Greenstone.bmp:kbyqbt
Removed Stream! C:\WINDOWS\Greenstone.bmp:thrzg
Removed Stream! C:\WINDOWS\ielm.dll:cbrevv
Removed Stream! C:\WINDOWS\ieuninst.exe:cozcr
Removed Stream! C:\WINDOWS\IFinst27.exe:zhmyh
Removed Stream! C:\WINDOWS\iis6.log:krwob
Removed Stream! C:\WINDOWS\iis6.log:likea
Removed Stream! C:\WINDOWS\KB824141.log:okfcy
Removed Stream! C:\WINDOWS\KB826939.log:oqqif
Removed Stream! C:\WINDOWS\KB828028.log:hlqhs
Removed Stream! C:\WINDOWS\KB828028.log:iyptt
Removed Stream! C:\WINDOWS\krbob.log:htpim
Removed Stream! C:\WINDOWS\MedCtrOC.log:ayhzo
Removed Stream! C:\WINDOWS\msdfmap.ini:pfcmp
Removed Stream! C:\WINDOWS\msdfmap.ini:snbsp
Removed Stream! C:\WINDOWS\NeroDigital.ini:igurj
Removed Stream! C:\WINDOWS\NeroDigital.ini:kfmfr
Removed Stream! C:\WINDOWS\NOTEPAD.EXE:sgned
Removed Stream! C:\WINDOWS\ntdtcsetup.log:vgell
Removed Stream! C:\WINDOWS\n_ihobte.txt:kuhuyg
Removed Stream! C:\WINDOWS\ocgen.log:lhykf
Removed Stream! C:\WINDOWS\ocmsn.log:xfxnx
Removed Stream! C:\WINDOWS\ODBC.INI:nhxqf
Removed Stream! C:\WINDOWS\OEWABLog.txt:qgqbr
Removed Stream! C:\WINDOWS\Osaka Screen Saver.scr:fhhvh
Removed Stream! C:\WINDOWS\osjiy.txt:khalsu
Removed Stream! C:\WINDOWS\PCDLIB32.DLL:ahagt
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:orresd
Removed Stream! C:\WINDOWS\REGLOCS.OLD:ynwirc
Removed Stream! C:\WINDOWS\regopt.log:omupzq
Removed Stream! C:\WINDOWS\Rhododendron.bmp:eibbv
Removed Stream! C:\WINDOWS\rjeac.dat:ztuppy
Removed Stream! C:\WINDOWS\SBWIN.INI:hxhmf
Removed Stream! C:\WINDOWS\SBWIN.INI:jgaanp
Removed Stream! C:\WINDOWS\SBWIN.INI:wjugp
Removed Stream! C:\WINDOWS\Setup1.exe:vvjwd
Removed Stream! C:\WINDOWS\setupact.log:fpucvl
Removed Stream! C:\WINDOWS\setuperr.log:qnmbaw
Removed Stream! C:\WINDOWS\ST6UNST.EXE:gpupz
Removed Stream! C:\WINDOWS\svcpack.log:agfgug
Removed Stream! C:\WINDOWS\tjgav.dat:sgxtwj
Removed Stream! C:\WINDOWS\tqijh.log:lkbkca
Removed Stream! C:\WINDOWS\twain_32.dll:tjitf
Removed Stream! C:\WINDOWS\twunk_16.exe:hvkhx
Removed Stream! C:\WINDOWS\UltimateBuddy.INI:ekmpwk
Removed Stream! C:\WINDOWS\UltimateBuddy.INI:lhiyqt
Removed Stream! C:\WINDOWS\unhfxpackatifx.log:ljtgz
Removed Stream! C:\WINDOWS\vb.ini:ttskhd
Removed Stream! C:\WINDOWS\WMPrfCHS.prx:eyedd
Removed Stream! C:\WINDOWS\wmprfheb.prx:xgpgn
Removed Stream! C:\WINDOWS\wmprfita.prx:nfcwoo
Removed Stream! C:\WINDOWS\wmprfplk.prx:ibvbwv
Removed Stream! C:\WINDOWS\wmprfptb.prx:sbdmq
Removed Stream! C:\WINDOWS\wmprfptb.prx:sbdmq
Removed Stream! C:\WINDOWS\wmprfptg.prx:zxpkt
Removed Stream! C:\WINDOWS\wmprfslv.prx:wvaja
Removed Stream! C:\WINDOWS\WMSysPr9.prx:hwtod
Removed Stream! C:\WINDOWS\WMSysPr9.prx:kyadp
Removed Stream! C:\WINDOWS\WMSysPr9.prx:mbwph
Removed Stream! C:\WINDOWS\WMSysPr9.prx:mbwph
Removed Stream! C:\WINDOWS\zmiyu.dat:sqwzz
Removed Stream! C:\WINDOWS\_default.pif:qjpqa
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:agrmsd
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:bdfqpv
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:ceiitr
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:dbfssm
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:fglbqe
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:fjvyfw
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:gxlzbx
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:hlzehb
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:hnggqb
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:hxuteh
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:lamnqc
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:ljdgjd
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:milskt
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:ocpxmp
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:olhrfq
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:oxtmgv
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:picmlp
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:pmnbwq
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:rzpkxs
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:sztzvr
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:ufswot
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:uisfqj
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:xgdgko
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:xmvotg
Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:zywfdi
------------------------------------------------
Removed File! : C:\Windows\pisxh.dat
Removed File! : C:\Windows\rjeac.dat
Removed File! : C:\Windows\tjgav.dat
Removed File! : C:\Windows\uupse.dll
Removed File! : C:\Windows\System32\bjwnb.dat
Removed File! : C:\Windows\System32\javacy.exe
Removed File! : C:\Windows\System32\wqfaj.dat
Removed File! : C:\Windows\System32\yjlvi.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:49:43 PM

AboutBuster 5.0 reference file 30
Scan started on [7/10/2005] at [1:15:38 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:16:10 PM

Panda Activescan

Incident Status Location

Adware:Adware/eZula No disinfected C:\Program Files\eZula
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Only sex website.url
Adware:Adware/ExactSearch No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Ab scissor.url
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Sonia Kitty\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e437c28-47e2bc35.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Sonia Kitty\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-45b047-3fa1eea8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Sonia Kitty\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4f7ed983-6ef4da18.zip[Dummy.class]
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Seven days of free porn.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\What is hydrocodone.url
Virus:Exploit/iFrame Disinfected Personal Folders\Deleted Items\*TELUS Detected Spam* Mail Delivery (failure blivesey@telus.net)\MSG_RTF.TXT
Adware:Adware/SearchAid No disinfected C:\Program Files\HijackThis\backups\backup-20050710-125234-650.dll
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc5.cab[WinadX.dll]
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc5.cab[WinadX.inf]
Adware:Adware/Howprotect No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc6.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc7.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addxf.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Virus:Trj/Downloader.DKJ Disinfected C:\WINDOWS\n_tgxehq.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crpz32.dll

**Omerr** · 07-10-2005, 05:00 PM

Hello again, you are very welcome

I would like to congratulate you, you have done a great job cleaning up here.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Please empty your Recycle Bin

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

eZula

Delete the following Folders indicated in BLUE if they still exist:

C:\Program Files\eZula
C:\Documents and Settings\Sonia Kitty\Favorites\Sites about

Delete the following Files indicated in RED if they still exist:

C:\Documents and Settings\Sonia Kitty\Favorites\Only sex website.url
C:\Documents and Settings\Sonia Kitty\Favorites\Search the web.url
C:\Documents and Settings\Sonia Kitty\Favorites\Seven days of free porn.url
C:\WINDOWS\addxf.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.inf
C:\WINDOWS\system32\crpz32.dll

Reboot your system in Normal Mode.

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

Respond with a new Panda ActiveScan's log, along with a new KRC HijackThis log.

wrybri · 07-10-2005, 11:27 PM

Ok, I've cleaned up the unwanted IE Favourites and other lingering files, emptied the trash and the Java cache. I did forget to empty the trash again between clearing Java cache and running Panda activescan. Oops! Hopefully not major.

In the folder C:\WINDOWS\Downloaded Program Files - I deleted a PopCapLoader Program File from the list, but I can't see the popcaploader.dll in the folder, even though Panda Activescan says it's still there. The folder seems to have some sort of special viewing mode...

Here are the results of fresh Activescan and HijackThis scans:

HijackThis - KRC
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:

\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:59:19 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://

google.ca/
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI

Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02

\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.

exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1

\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI

Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI

Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI

Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -

AutoStart
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI

Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O8 - Extra context menu item: Open Client to monitor &1 - C:

\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:

\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C

:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}

- C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:

\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download

Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://

software-dl.real.com/05c24f3ce4bf28632d02/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.co.../en/x86/client

/wuweb_site.cab?1100597589093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program

Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:

\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

End of KRC HijackThis Analyzer Log.
====================================================================

Panda Activescan

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\Program Files\HijackThis\backups\backup-20050710-125234-650.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-1003\Dc2.exe
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc5.cab[WinadX.dll]
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc5.cab[WinadX.inf]
Adware:Adware/Howprotect No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc6.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc7.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crpz32.dll

**Omerr** · 07-11-2005, 05:40 AM

Hello again. Are you sure you're still viewing hidden files?

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Now, do NOT go Safe Mode this time.

Start HiJackThis & go to Config>Misc.Tools>Delete a file on reboot...

In the popup box that appears, type in
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Click the [Open] button.
Click [No] when prompted to restart your computer now.
Repeat the above procedure for this file - C:\WINDOWS\system32\crpz32.dll
Click [Yes] when prompted to restart your computer.

C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\system32\crpz32.dll

Please restart your computer.

Now, give us a new Panda ActiveScan's log. Hopefully, you will be clean now.

wrybri · 07-11-2005, 03:35 PM

Ok! Looking a lot cleaner now, though a couple of small blips from Activescan; not sure if these are a problem or not.

Here are the new scans:

HijackThis - KRC
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:27:42 PM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\eMule\emule.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05c24f3c...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100597589093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

End of KRC HijackThis Analyzer Log.
====================================================================

Panda Activescan

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\Program Files\HijackThis\backups\backup-20050710-125234-650.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_azcqwv.txt

**Omerr** · 07-12-2005, 06:54 AM

Hello again!
Please delete the following file indicated in RED if it still exists:
C:\WINDOWS\n_azcqwv.txt

Your log seems clean, congratulations! Are there any further problems now? If not, you should be set to go. If there ARE any problems, skip the next instructions and let me know about your problems so we can solve them out!

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

wrybri · 07-12-2005, 06:33 PM

Freedom from tyranny! Thanks so much for all your help Omerr! No more monkies on my back.

07-10-2005, 03:23 AM	#1 (permalink)
wrybri Registered User Join Date: Jul 2005 Posts: 5 OS: XP	Hijackthis log - Nasty CWS about:blank hijacker, and more! I've got a very persistent about:blank hijacker that I can't quite completely remove. Ad-aware identifies it as CoolWebSearch variant and strips away some (but not all) of its files, resulting in IE starting to about:blank but with a blank white page. I suspect I've got one or two other unrelated spy/malware baddies on-board too. My system is only about a year old, with speedy (you'd think) options like Pentium4 2.6Ghz/800, 1 GB of dual-channel DDR400, and a SATA RAID stack as primary system disk, but windows performance is often sluggish, it takes sometimes a few seconds to do basic basic OS stuff like display 'All Programs' from the Start menu, viewing folder contents with windows explorer etc etc etc. Suspect activity I've observed: Popup #1 I often get a popup titled 'Windows Security Center' with text as follows: WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords. Do you want to learn how to protect your computer? 'Yes' goes to http://www.msnhelper.net/search.php?pin=28129 Popup #2 I also sometimes get another popup titled d3cg32.exe (this changes sometimes I think) with text: The application or DLL c:\WINDOWS\crrn.dll is not a valid Windows image. Please check this against your installation diskette. The DLL is different every time. Other DLL's it's named are: avahe32.exe -or- atlgt.dll -or- winvr32.dll -or- msqo.dll -or- msje32.dll -or- mszz32.dll etc etc etc... Lastly, just yesterday when my machine was being even more sluggish than usual, I fired up task manager and caught one ntgx.exe sucking up about 50% CPU. My daily routine Norton 2005 virus scan later identified this as malware. Delete failed but I was able to later delete the file from safe mode. Anyways, that's it for my personal observations. Thanks in advance for any and all help offered - I'm a reasonably proficient computer geek but I can't do a thing about these problems and it's making me mental! I'm sure you understand. ;) On to my hijackthis log... ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 2:21:59 AM, on 7/10/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\WINDOWS\addke.exe C:\WINDOWS\system32\javacy.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: Class - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - C:\WINDOWS\mfczv32.dll O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [nttd32.exe] C:\WINDOWS\system32\nttd32.exe O4 - HKLM\..\Run: [ntgx.exe] C:\WINDOWS\system32\ntgx.exe O4 - HKLM\..\Run: [javacy.exe] C:\WINDOWS\system32\javacy.exe O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL O15 - Trusted Zone: .frame.crazywinnings.com O15 - Trusted Zone: .frame.crazywinnings.com (HKLM) O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05c24f3c...p/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100597589093 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\addke.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing) End of KRC HijackThis Analyzer Log. ====================================================================

07-10-2005, 08:25 AM	#2 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. __________________ I am here in order to help you.

07-10-2005, 12:15 PM	#3 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello and welcome to TSF Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process. Download AboutBuster and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now. Download CWSserviceRemove and unzip it to your desktop. It'll create a file called cwsserviceremove.reg. Do NOT run this yet. Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go to Start->Run and type in services.msc and hit OK. Then look for the following service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) Double click on it. Click on the Stop button and under Startup type, choose Disabled. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time). C:\WINDOWS\addke.exe C:\WINDOWS\system32\javacy.exe Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: Class - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - C:\WINDOWS\mfczv32.dll O4 - HKLM\..\Run: [nttd32.exe] C:\WINDOWS\system32\nttd32.exe O4 - HKLM\..\Run: [ntgx.exe] C:\WINDOWS\system32\ntgx.exe O4 - HKLM\..\Run: [javacy.exe] C:\WINDOWS\system32\javacy.exe O15 - Trusted Zone: .frame.crazywinnings.com O15 - Trusted Zone: .frame.crazywinnings.com (HKLM) O23 - Service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\addke.exe Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file. *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED if they still exist: C:\WINDOWS\addke.exe C:\WINDOWS\system32\javacy.exe C:\WINDOWS\mfczv32.dll C:\WINDOWS\uupse.dll C:\WINDOWS\system32\nttd32.exe C:\WINDOWS\system32\ntgx.exe Double-click on the cwsserviceremove.reg file you unzipped to your desktop earlier. When it prompts to merge, click Yes. This will clear some registry entries left behind by the malware infections. Reboot your system in Normal Mode. Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log. Please scan again with HijackThis to get a new log. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Now give us a new HijackThis Analyzer log, together with Panda ActiveScan’s log and AboutBuster’s log, so we can make sure your system is clean. __________________ I am here in order to help you.

07-10-2005, 03:39 PM	#4 (permalink)
wrybri Registered User Join Date: Jul 2005 Posts: 5 OS: XP	Round 2 Thanks for your speedy assistance Omerr! I've taken all the steps you detailed and the about:blank hijacker is definitely gone since I can open IE to my homepage of choice. The Panda scan detected a whole whack of stuff, though a lot of this looks like adware-added IE favourites that have just piled up (I don't use IE any more - Firefox all the way!) over time without me culling them. Here are the new logs from Hijackthis, Aboutbuster, and Activescan: HijackThis Logfile of HijackThis v1.99.1 Scan saved at 3:18:03 PM, on 7/10/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\Program Files\eMule\emule.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\UltraMon\UltraMon.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\UltraMon\UltraMonTaskbar.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05c24f3c...p/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100597589093 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing) AboutBuster AboutBuster 5.0 reference file 30 Scan started on [7/10/2005] at [12:49:01 PM] ------------------------------------------------ Removed Stream! C:\WINDOWS\adduc.dll:akgezb Removed Stream! C:\WINDOWS\adduc.dll:mhmkk Removed Stream! C:\WINDOWS\appwi32.dll:jywfl Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:brokf Removed Stream! C:\WINDOWS\Coffee Bean.bmp:tltwie Removed Stream! C:\WINDOWS\CTDV10K1.CDF:qoogj Removed Stream! C:\WINDOWS\CTDVAUDY.CDF:chcsfr Removed Stream! C:\WINDOWS\d3lb32.dll:ujgzy Removed Stream! C:\WINDOWS\desktop.ini:dufsm Removed Stream! C:\WINDOWS\Direct Connect Setup Log.txt:xkjju Removed Stream! C:\WINDOWS\DirectX.log:talwla Removed Stream! C:\WINDOWS\DirectX.log:wnpfp Removed Stream! C:\WINDOWS\Greenstone.bmp:kbyqbt Removed Stream! C:\WINDOWS\Greenstone.bmp:thrzg Removed Stream! C:\WINDOWS\ielm.dll:cbrevv Removed Stream! C:\WINDOWS\ieuninst.exe:cozcr Removed Stream! C:\WINDOWS\IFinst27.exe:zhmyh Removed Stream! C:\WINDOWS\iis6.log:krwob Removed Stream! C:\WINDOWS\iis6.log:likea Removed Stream! C:\WINDOWS\KB824141.log:okfcy Removed Stream! C:\WINDOWS\KB826939.log:oqqif Removed Stream! C:\WINDOWS\KB828028.log:hlqhs Removed Stream! C:\WINDOWS\KB828028.log:iyptt Removed Stream! C:\WINDOWS\krbob.log:htpim Removed Stream! C:\WINDOWS\MedCtrOC.log:ayhzo Removed Stream! C:\WINDOWS\msdfmap.ini:pfcmp Removed Stream! C:\WINDOWS\msdfmap.ini:snbsp Removed Stream! C:\WINDOWS\NeroDigital.ini:igurj Removed Stream! C:\WINDOWS\NeroDigital.ini:kfmfr Removed Stream! C:\WINDOWS\NOTEPAD.EXE:sgned Removed Stream! C:\WINDOWS\ntdtcsetup.log:vgell Removed Stream! C:\WINDOWS\n_ihobte.txt:kuhuyg Removed Stream! C:\WINDOWS\ocgen.log:lhykf Removed Stream! C:\WINDOWS\ocmsn.log:xfxnx Removed Stream! C:\WINDOWS\ODBC.INI:nhxqf Removed Stream! C:\WINDOWS\OEWABLog.txt:qgqbr Removed Stream! C:\WINDOWS\Osaka Screen Saver.scr:fhhvh Removed Stream! C:\WINDOWS\osjiy.txt:khalsu Removed Stream! C:\WINDOWS\PCDLIB32.DLL:ahagt Removed Stream! C:\WINDOWS\Prairie Wind.bmp:orresd Removed Stream! C:\WINDOWS\REGLOCS.OLD:ynwirc Removed Stream! C:\WINDOWS\regopt.log:omupzq Removed Stream! C:\WINDOWS\Rhododendron.bmp:eibbv Removed Stream! C:\WINDOWS\rjeac.dat:ztuppy Removed Stream! C:\WINDOWS\SBWIN.INI:hxhmf Removed Stream! C:\WINDOWS\SBWIN.INI:jgaanp Removed Stream! C:\WINDOWS\SBWIN.INI:wjugp Removed Stream! C:\WINDOWS\Setup1.exe:vvjwd Removed Stream! C:\WINDOWS\setupact.log:fpucvl Removed Stream! C:\WINDOWS\setuperr.log:qnmbaw Removed Stream! C:\WINDOWS\ST6UNST.EXE:gpupz Removed Stream! C:\WINDOWS\svcpack.log:agfgug Removed Stream! C:\WINDOWS\tjgav.dat:sgxtwj Removed Stream! C:\WINDOWS\tqijh.log:lkbkca Removed Stream! C:\WINDOWS\twain_32.dll:tjitf Removed Stream! C:\WINDOWS\twunk_16.exe:hvkhx Removed Stream! C:\WINDOWS\UltimateBuddy.INI:ekmpwk Removed Stream! C:\WINDOWS\UltimateBuddy.INI:lhiyqt Removed Stream! C:\WINDOWS\unhfxpackatifx.log:ljtgz Removed Stream! C:\WINDOWS\vb.ini:ttskhd Removed Stream! C:\WINDOWS\WMPrfCHS.prx:eyedd Removed Stream! C:\WINDOWS\wmprfheb.prx:xgpgn Removed Stream! C:\WINDOWS\wmprfita.prx:nfcwoo Removed Stream! C:\WINDOWS\wmprfplk.prx:ibvbwv Removed Stream! C:\WINDOWS\wmprfptb.prx:sbdmq Removed Stream! C:\WINDOWS\wmprfptb.prx:sbdmq Removed Stream! C:\WINDOWS\wmprfptg.prx:zxpkt Removed Stream! C:\WINDOWS\wmprfslv.prx:wvaja Removed Stream! C:\WINDOWS\WMSysPr9.prx:hwtod Removed Stream! C:\WINDOWS\WMSysPr9.prx:kyadp Removed Stream! C:\WINDOWS\WMSysPr9.prx:mbwph Removed Stream! C:\WINDOWS\WMSysPr9.prx:mbwph Removed Stream! C:\WINDOWS\zmiyu.dat:sqwzz Removed Stream! C:\WINDOWS\_default.pif:qjpqa Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:agrmsd Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:bdfqpv Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:ceiitr Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:dbfssm Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:fglbqe Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:fjvyfw Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:gxlzbx Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:hlzehb Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:hnggqb Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:hxuteh Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:lamnqc Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:ljdgjd Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:milskt Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:ocpxmp Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:olhrfq Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:oxtmgv Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:picmlp Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:pmnbwq Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:rzpkxs Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:sztzvr Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:ufswot Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:uisfqj Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:xgdgko Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:xmvotg Removed Stream! C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000002-80671102}.BAK:zywfdi ------------------------------------------------ Removed File! : C:\Windows\pisxh.dat Removed File! : C:\Windows\rjeac.dat Removed File! : C:\Windows\tjgav.dat Removed File! : C:\Windows\uupse.dll Removed File! : C:\Windows\System32\bjwnb.dat Removed File! : C:\Windows\System32\javacy.exe Removed File! : C:\Windows\System32\wqfaj.dat Removed File! : C:\Windows\System32\yjlvi.dat ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 12:49:43 PM AboutBuster 5.0 reference file 30 Scan started on [7/10/2005] at [1:15:38 PM] ------------------------------------------------ No Ads Found! ------------------------------------------------ No Files Found! ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 1:16:10 PM Panda Activescan Incident Status Location Adware:Adware/eZula No disinfected C:\Program Files\eZula Adware:Adware/SaveNow No disinfected Windows Registry Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Only sex website.url Adware:Adware/ExactSearch No disinfected Windows Registry Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Ab scissor.url Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Sonia Kitty\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e437c28-47e2bc35.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Sonia Kitty\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-45b047-3fa1eea8.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Sonia Kitty\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4f7ed983-6ef4da18.zip[Dummy.class] Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Only sex website.url Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Search the web.url Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Seven days of free porn.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Ab scissor.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Broadband comparison.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Credit counseling.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Credit report.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Crm software.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Debt credit card.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Escorts.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Fha.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Health insurance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Help desk software.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Insurance home.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Loan for debt consolidation.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Loan for people with bad credit.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Marketing email.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Mortgage insurance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Mortgage life insurance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Nevada corporations.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Online Betting Site.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Online gambling casino.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Online instant loan.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Order phentermine.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Payroll advance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Personal loans online.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Personal loans with bad credit.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Prescription Drugs Rx Online.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Refinancing my mortgage.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Tahoe vacation rental.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Unsecured bad credit loans.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\Videos.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Sonia Kitty\Favorites\Sites about\What is hydrocodone.url Virus:Exploit/iFrame Disinfected Personal Folders\Deleted Items\TELUS Detected Spam Mail Delivery (failure blivesey@telus.net)\MSG_RTF.TXT Adware:Adware/SearchAid No disinfected C:\Program Files\HijackThis\backups\backup-20050710-125234-650.dll Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc5.cab[WinadX.dll] Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc5.cab[WinadX.inf] Adware:Adware/Howprotect No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc6.exe Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc7.exe Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addxf.exe Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf Virus:Trj/Downloader.DKJ Disinfected C:\WINDOWS\n_tgxehq.txt Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crpz32.dll

07-10-2005, 05:00 PM	#5 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello again, you are very welcome I would like to congratulate you, you have done a great job cleaning up here. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Please empty your Recycle Bin Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: eZula Delete the following Folders indicated in BLUE if they still exist: C:\Program Files\eZula C:\Documents and Settings\Sonia Kitty\Favorites\Sites about Delete the following Files indicated in RED if they still exist: C:\Documents and Settings\Sonia Kitty\Favorites\Only sex website.url C:\Documents and Settings\Sonia Kitty\Favorites\Search the web.url C:\Documents and Settings\Sonia Kitty\Favorites\Seven days of free porn.url C:\WINDOWS\addxf.exe C:\WINDOWS\Downloaded Program Files\popcaploader.dll C:\WINDOWS\Downloaded Program Files\popcaploader.inf C:\WINDOWS\system32\crpz32.dll Reboot your system in Normal Mode. Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK. Respond with a new Panda ActiveScan's log, along with a new KRC HijackThis log. __________________ I am here in order to help you.

07-10-2005, 11:27 PM	#6 (permalink)
wrybri Registered User Join Date: Jul 2005 Posts: 5 OS: XP	Round 3 Ok, I've cleaned up the unwanted IE Favourites and other lingering files, emptied the trash and the Java cache. I did forget to empty the trash again between clearing Java cache and running Panda activescan. Oops! Hopefully not major. In the folder C:\WINDOWS\Downloaded Program Files - I deleted a PopCapLoader Program File from the list, but I can't see the popcaploader.dll in the folder, even though Panda Activescan says it's still there. The folder seems to have some sort of special viewing mode... Here are the results of fresh Activescan and HijackThis scans: HijackThis - KRC ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:59:19 PM, on 7/10/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\UltraMon\UltraMon.exe C:\Program Files\UltraMon\UltraMonTaskbar.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:// google.ca/ O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02 \bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1 \SNDMon.exe /Consumer O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe - AutoStart O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe O8 - Extra context menu item: Open Client to monitor &1 - C: \WINDOWS\web\AOpenClient.htm O8 - Extra context menu item: Open Client to monitor &2 - C: \WINDOWS\web\AOpenClient.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C :\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5- 00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C: \Program Files\ATI Multimedia\tv\EXPLBAR.DLL O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http:// software-dl.real.com/05c24f3ce4bf28632d02/netzip/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co.../en/x86/client /wuweb_site.cab?1100597589093 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C: \PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing) End of KRC HijackThis Analyzer Log. ==================================================================== Panda Activescan Incident Status Location Adware:Adware/SaveNow No disinfected Windows Registry Adware:Adware/SearchAid No disinfected C:\Program Files\HijackThis\backups\backup-20050710-125234-650.dll Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-1003\Dc2.exe Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc5.cab[WinadX.dll] Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc5.cab[WinadX.inf] Adware:Adware/Howprotect No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc6.exe Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc7.exe Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crpz32.dll

07-11-2005, 05:40 AM	#7 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello again. Are you sure you're still viewing hidden files? Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Now, do NOT go Safe Mode this time. Start HiJackThis & go to Config>Misc.Tools>Delete a file on reboot... In the popup box that appears, type in C:\WINDOWS\Downloaded Program Files\popcaploader.dll Click the [Open] button. Click [No] when prompted to restart your computer now. Repeat the above procedure for this file - C:\WINDOWS\system32\crpz32.dll Click [Yes] when prompted to restart your computer. C:\WINDOWS\Downloaded Program Files\popcaploader.dll C:\WINDOWS\system32\crpz32.dll Please restart your computer. Now, give us a new Panda ActiveScan's log. Hopefully, you will be clean now. __________________ I am here in order to help you.

07-11-2005, 03:35 PM	#8 (permalink)
wrybri Registered User Join Date: Jul 2005 Posts: 5 OS: XP	Round 4 Ok! Looking a lot cleaner now, though a couple of small blips from Activescan; not sure if these are a problem or not. Here are the new scans: HijackThis - KRC ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 3:27:42 PM, on 7/11/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\Program Files\eMule\emule.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\UltraMon\UltraMon.exe C:\Program Files\UltraMon\UltraMonTaskbar.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/ O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05c24f3c...p/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100597589093 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing) End of KRC HijackThis Analyzer Log. ==================================================================== Panda Activescan Incident Status Location Adware:Adware/SaveNow No disinfected Windows Registry Adware:Adware/SearchAid No disinfected C:\Program Files\HijackThis\backups\backup-20050710-125234-650.dll Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_azcqwv.txt

07-12-2005, 06:54 AM	#9 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello again! Please delete the following file indicated in RED if it still exists: C:\WINDOWS\n_azcqwv.txt Your log seems clean, congratulations! Are there any further problems now? If not, you should be set to go. If there ARE any problems, skip the next instructions and let me know about your problems so we can solve them out! Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK. Reboot your System. To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. __________________ I am here in order to help you.

07-12-2005, 06:33 PM	#10 (permalink)
wrybri Registered User Join Date: Jul 2005 Posts: 5 OS: XP	Victory! Freedom from tyranny! Thanks so much for all your help Omerr! No more monkies on my back.