2nd system with problems

[str8nitro]

this is the 2nd system that I am having problems with but not as bad.
Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 1:49:47 PM, on 7/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Setup\tmp\install\setup\winmgnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\khooker.exe
C:\WINNT\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\TAM\Server\TAMActivityPost.exe
C:\WINNT\System32\svchost.exe
C:\strorage\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [rundll32] c:\winnt\system32\drivers\etc\rundll32.exe
O4 - HKLM\..\Run: [hidden31] c:\winnt\system32\drivers\etc\hidden31.exe c:\winnt\system32\drivers\etc\svhost.bat
O4 - HKLM\..\Run: [hidden] c:\winnt\system32\drivers\etc\hidden.exe c:\winnt\system32\drivers\etc\startd.bat
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Shortcut to TAMActivityPost.exe.lnk = C:\Program Files\TAM\Server\TAMActivityPost.exe
O4 - Startup: EDLoader.lnk = C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe
O4 - Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to TAMActivityPost.exe.lnk = C:\Program Files\TAM\Server\TAMActivityPost.exe
O4 - Global Startup: EDLoader.lnk = C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/p...ix/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1177CAB8-CFBE-4061-9BEB-8C089DB41012}: NameServer = 206.166.49.20,206.166.83.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{1177CAB8-CFBE-4061-9BEB-8C089DB41012}: NameServer = 206.166.49.20,206.166.83.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{1177CAB8-CFBE-4061-9BEB-8C089DB41012}: NameServer = 206.166.49.20,206.166.83.20
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\Setup\tmp\install\setup\winmgnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[MicroBell]

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK.

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/actives..._principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove Open Site if listed. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O4 - HKLM\..\Run: [rundll32] c:\winnt\system32\drivers\etc\rundll32.exe
O4 - HKLM\..\Run: [hidden31] c:\winnt\system32\drivers\etc\hidden31.exe c:\winnt\system32\drivers\etc\svhost.bat
O4 - HKLM\..\Run: [hidden] c:\winnt\system32\drivers\etc\hidden.exe c:\winnt\system32\drivers\etc\startd.bat
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

c:\winnt\system32\drivers\etc\rundll32.exe
c:\winnt\system32\drivers\etc\hidden31.exe c:\winnt\system32\drivers\etc\svhost.bat
c:\winnt\system32\drivers\etc\hidden.exe c:\winnt\system32\drivers\etc\startd.bat
C:\Program Files\Open Site\opnste.exe


Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not

[str8nitro]

Logfile of HijackThis v1.99.1
Scan saved at 12:50:35 PM, on 7/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Setup\tmp\install\setup\winmgnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\khooker.exe
C:\WINNT\Mixer.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\TAM\Server\TAMActivityPost.exe
C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\system32\wuauclt.exe
C:\strorage\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Shortcut to TAMActivityPost.exe.lnk = C:\Program Files\TAM\Server\TAMActivityPost.exe
O4 - Startup: EDLoader.lnk = C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe
O4 - Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to TAMActivityPost.exe.lnk = C:\Program Files\TAM\Server\TAMActivityPost.exe
O4 - Global Startup: EDLoader.lnk = C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/p...ix/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1177CAB8-CFBE-4061-9BEB-8C089DB41012}: NameServer = 206.166.49.20,206.166.83.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{1177CAB8-CFBE-4061-9BEB-8C089DB41012}: NameServer = 206.166.49.20,206.166.83.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{1177CAB8-CFBE-4061-9BEB-8C089DB41012}: NameServer = 206.166.49.20,206.166.83.20
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\Setup\tmp\install\setup\winmgnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[MicroBell]

Run hijackthis and fix this entry...

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...mix/install.cab

Other then that...the log is clean. Any more issues? IF not...you should be set. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself!

Please reply one last time with the word RESOLVED so I know you got this message and I can move the thread to resolved

[str8nitro]

Forgot to post the pandasoftware active log:


Incident Status Location

Adware:Adware/nCase No disinfected C:\WINNT\system32\FLEOK
Adware:Adware/FavoriteMan No disinfected C:\WINNT\downloaded program files\ATPartners.inf
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Reg1\Application Data\Lycos
Spyware:Spyware/Whazit No disinfected C:\WINNT\system32\fiz1
Adware:Adware/Browvil No disinfected C:\WINNT\system32\bUS.dll
Spyware:Spyware/RXToolbar No disinfected C:\WINNT\system32\RxBarSetup.dll
Virus:W32/Gaobot.gen.worm Disinfected C:\WINNT\system32\spool\drivers\scrnsund.pif
Virus:Trj/Dropper.GX Disinfected C:\WINNT\system32\msbb321.dll
Virus:Trj/Multidropper.AFB Disinfected C:\WINNT\system32\bUS.dll
Adware:Adware/SAHAgent No disinfected C:\WINNT\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINNT\system32\xmltok.dll
Spyware:Spyware/Whazit No disinfected C:\WINNT\system32\fiz1
Spyware:Spyware/Whazit No disinfected C:\WINNT\system32\kyf.dat
Spyware:Spyware/RXToolbar No disinfected C:\WINNT\system32\RxBarSetup.dll
Adware:Adware/Megasearch No disinfected C:\WINNT\system32\MegasearchBarSetup.dll
Adware:Adware/SAHAgent No disinfected C:\WINNT\inf\biU.inf
Spyware:Spyware/BetterInet No disinfected C:\WINNT\inf\biini.inf
Adware:Adware/Transponder No disinfected C:\WINNT\inf\polmx2.inf
Adware:Adware/NetPals No disinfected C:\WINNT\Downloaded Program Files\ATPartners.inf
Virus:Bck/Iroffer Disinfected C:\recycler\temp\aux\fxpop\iroffer.exe
Virus:Bck/IRCBot.IP No disinfected C:\naxuhu.exe[police.exe]
Virus:Trj/Ranky.GO No disinfected C:\naxuhu.exe[yellow.exe]
Virus:Bck/SDbot.EFN Disinfected C:\aintbad.exe

[MicroBell]

Well...you were clean .....

Download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.


Download, install, and update Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Now delete these folders...

C:\WINNT\system32\FLEOK
C:\Documents and Settings\Reg1\Application Data\Lycos
C:\WINNT\system32\fiz1


Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.


C:\WINNT\downloaded program files\ATPartners.inf
C:\WINNT\system32\bUS.dll
C:\WINNT\system32\RxBarSetup.dll
C:\WINNT\system32\spool\drivers\scrnsund.pif
C:\WINNT\system32\msbb321.dll
C:\WINNT\system32\xmlparse.dll
C:\WINNT\system32\xmltok.dll
C:\WINNT\system32\kyf.dat
C:\WINNT\system32\RxBarSetup.dll
C:\WINNT\system32\MegasearchBarSetup.dll
C:\WINNT\inf\biU.inf
C:\WINNT\inf\biini.inf
C:\WINNT\inf\polmx2.inf
C:\WINNT\Downloaded Program Files\ATPartners.inf
C:\naxuhu.exe
C:\aintbad.exe

Once you reboot...boot back to safe mode.

Run Ewido:

• Click [Scanner]
• Click [Complete System Scan] to begin scanning.
• Click [OK] when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
• Once finished, click the [Save report] button
• Save the report to your desktop

Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

ONce back to normal mode..run another Panda scan and post it's log along with the log from the Ewido scan.

[str8nitro]

I was unable to find the folder C:\WINNT\system32\fiz1

and clenup would not let me check mark the Delete Prefetch files box.

Here is the panda scan log:
Incident Status Location

Adware:Adware/SideSearch No disinfected C:\Program Files\Lycos
Spyware:Spyware/Whazit No disinfected C:\WINNT\system32\fiz1
Virus:W32/Gaobot.gen.worm Disinfected C:\WINNT\system32\spool\drivers\msgfix.exe
Spyware:Spyware/Whazit No disinfected C:\WINNT\system32\fiz1

Here is the log from the Ewido scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:52:49 AM, 7/14/2005
+ Report-Checksum: F07AB2C3

+ Scan result:

C:\WINNT\system32\config\svchost.exe -> Backdoor.ServU-based : Cleaned with backup
C:\WINNT\Config\FireDaemon.exe -> Backdoor.SdBot.nj : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\qpxbtoh9.slt\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Reg1\Cookies\reg1@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Recycled\Dc3.exe -> Backdoor.ServU-based : Cleaned with backup
C:\recycler\temp\aux\fxpop\winmgnt.exe -> Backdoor.ServU-based : Cleaned with backup


::Report End

Thank you

[MicroBell]

Quote:

Delete Prefetch files box

Sorry my mistake. Windows 2000 doesn't have that folder.


Make sure the following files have been deleted.

C:\WINNT\system32\config\svchost.exe
C:\WINNT\Config\FireDaemon.exe
C:\WINNT\system32\spool\drivers\msgfix.exe

Empty your recycle bin!

Open add/remove programs. Check for a listing for either Lycos or Sidesearch. Remove either.

C:\Program Files\Lycos <--delete that folder.

C:\WINNT\system32\fiz1 <--if this isn't a folder...then it's a file. Delete it and any others that start with fiz.

Some examples you may find..

C:\WINNT\system32\fiz0
c:\WINNT\system32\fiz1
c:\WINNT\system32\fiz2
c:\WINNT\system32\fiz3
c:\WINNT\system32\fiz4
c:\WINNT\system32\fiz6
c:\WINNT\system32\fiz7
c:\WINNT\system32\fiz8
c:\WINNT\system32\fiz10
c:\WINNT\system32\fiz12
c:\WINNT\system32\fiz13
c:\WINNT\system32\fiz15
c:\WINNT\system32\fiz16
c:\WINNT\system32\fiz19


Once done post another Ewido scan and Panda log along with the log from this tool...

Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

[str8nitro]

C:\WINNT\system32\config\svchost.exe
Did not find this file in this location but I did find it in the system32 folder.

I ran silent runners.vbs scan


I ran an Ewido scan but I did not run it in safe mode, does it make a difference this time?

I am running panda scan now.

I will post those 3 logs as soon as panda scan is finished.

thanks for everything

[str8nitro]

Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:20:39 AM, 7/15/2005
+ Report-Checksum: 111ED051

+ Scan result:

C:\Documents and Settings\Reg1\Cookies\reg1@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Reg1\Cookies\reg1@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup


::Report End

silent runners.vbs report:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"WeatherWatcher" = "C:\Program Files\Weather Watcher\ww.exe" ["Singer's Creations"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SiS KHooker" = "C:\WINNT\System32\khooker.exe" ["Silicon Integrated Systems Corporation"]
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
"WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\winnt\googletoolbar1.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DA8BB31D-C731-4A17-BF9F-6F2AE2D4CBBD}" = "TaskbarX"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ministars Software\Effective Desktop\TaskbarX.dll" [empty string]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! nwprovau\DLLName = "nwprovau.dll" [MS]
INFECTION WARNING! PCANotify\DLLName = "PCANotify.dll" ["Symantec Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Reg1" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Shortcut to TAMActivityPost.exe" -> shortcut to: "C:\Program Files\TAM\Server\TAMActivityPost.exe" ["TAM Retail division of Lode Data Systems, Inc."]
"EDLoader" -> shortcut to: "C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe" ["Ministars Software"]
"Service Manager" -> shortcut to: "C:\MSSQL7\Binn\sqlmangr.exe /n" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Shortcut to TAMActivityPost.exe" -> shortcut to: "C:\Program Files\TAM\Server\TAMActivityPost.exe" ["TAM Retail division of Lode Data Systems, Inc."]
"EDLoader" -> shortcut to: "C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe" ["Ministars Software"]
"Service Manager" -> shortcut to: "C:\MSSQL7\Binn\sqlmangr.exe /n" [MS]


Enabled Scheduled Tasks:
------------------------

"TAMBackupToHardDrive" -> launches: "C:\TAMBackupToHardDrive.cmd" [null data]
"LiveUpdate - Norton AntiVirus" -> launches: "C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE" ["Symantec Corporation"]
"Norton AntiVirus" -> launches: "C:\PROGRA~1\COMMON~1\SYMANT~1\NMain.exe /dat:C:\Program Files\Norton Internet Security\NISPlug.NSI /goto:Norton AntiVirus\Status" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"At1" -> launches: "naxuhu.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\winnt\googletoolbar1.dll" ["Google Inc."]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\winnt\googletoolbar1.dll" ["Google Inc."]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\INetRepl.dll" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Client Service for NetWare, NWCWorkstation, "C:\WINNT\system32\services.exe" [MS]
DameWare Mini Remote Control, DWMRCS, "C:\WINNT\SYSTEM32\DWRCS.EXE -service" ["DameWare Development"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
ISSvc, ISSVC, ""C:\Program Files\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"]
LexBce Server, LexBceS, "C:\WINNT\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
MSSQLServer, MSSQLServer, "C:\MSSQL7\binn\sqlservr.exe" [MS]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 47 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 13 seconds.
---------- (total run time: 102 seconds)


Panda scan report:

Incident Status Location

Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}




Thank you

[MicroBell]

Awaiting Panda Scan. DO NOT DELETE the svchost.exe file in that system32 folder. IT'S LEGIT!!

Ok..these logs are almost clean. How's the system running?

What did your find with those fiz files?


Enabled Scheduled Tasks:
------------------------

Open your Task Scheduler and remove this task!

"At1" -> launches: "naxuhu.exe" [file not found]

naxuhu.exe <--delete that file IF found!

[str8nitro]

The panda is at the bottom of the last post

"Panda scan report:

Incident Status Location

Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908} "



That is the only thing that was in the report.

[MicroBell]

Quote:

Originally Posted by str8nitro

The panda is at the bottom of the last post

"Panda scan report:

Incident Status Location

Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908} "



That is the only thing that was in the report.

Yes..I saw it. No files involved...just an old registry entry.

[str8nitro]

well I guess that sounds good right???

[MicroBell]

Quote:

Originally Posted by str8nitro

well I guess that sounds good right???

Yup..look's like your clean Give me one more hijackthis log and let me know if your having any other issues.

[str8nitro]

I am going to be away for the weekend but I will post the log as soon as I get back. You have been a great help with this whole mess, I am hoping to learn more about the hijackthis logs and everything else.

[str8nitro]

Looks like this may be the last one for this system:

Logfile of HijackThis v1.99.1
Scan saved at 5:02:45 PM, on 7/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\lexpps.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\TAM\Server\TAMActivityPost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\strorage\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Shortcut to TAMActivityPost.exe.lnk = C:\Program Files\TAM\Server\TAMActivityPost.exe
O4 - Startup: EDLoader.lnk = C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe
O4 - Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to TAMActivityPost.exe.lnk = C:\Program Files\TAM\Server\TAMActivityPost.exe
O4 - Global Startup: EDLoader.lnk = C:\Program Files\Ministars Software\Effective Desktop\DTLoader.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1177CAB8-CFBE-4061-9BEB-8C089DB41012}: NameServer = 206.166.49.20,206.166.83.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{1177CAB8-CFBE-4061-9BEB-8C089DB41012}: NameServer = 206.166.49.20,206.166.83.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{1177CAB8-CFBE-4061-9BEB-8C089DB41012}: NameServer = 206.166.49.20,206.166.83.20
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\Setup\tmp\install\setup\winmgnt.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Thank you so much

[MicroBell]

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

[bits-and-bytes]

Ok, you have been a saint helping me through this headache and now with the extra protection you have had me install I can put my worries about this happening again aside.

I have Reset hidden/system files and folders.

There is not a System Restore on that window, I don't think windows 2000 has that.

Windows auto update is set now and ready to go.

I have installed the extra security you have recommended.

Once again I can not thank you enough, you are really a great person to help everybody out like you do.
Thanks again for everything,
Rodney

[str8nitro]

I did not realize that there was another user name logged in on this system when I posted but that last post was from me.
Thanks again