Search200 problem can you help please?

Jim Baker · 08-18-2005, 03:17 PM

I am so thankful for techsupportforum! Going crazy with this mean little trojan.
I have downloaded and run Omegakiller, Hijackthis, and I have updated versions of Norton2005, Spy Sweeper, SpywareBlaster, Spybot. My system is XP.
I can remove the trojan but it comes back. My Spy Sweeper let's me know it is back and trying to hijack my browser again. Then I run Omegakiller and Hijackthis and remove it. If I run OmegaKiller five or six times and remove the file with Hijackthis it doesn't come back as quickly. Here is my log from Hijackthis.
Logfile of HijackThis v1.99.1
Scan saved at 12:48:04 PM, on 8/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lcdjgeuvhwvz.net/Zl32Eqju...V26VvmT9l.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you for your help. Jim Baker

tetonbob · 08-18-2005, 06:08 PM

Hi Jim, and Welcome to TSF! You've got a little LOP infection, let's see what we can do to clean it up.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Desktop. This is required because HijackThis will create backups and we want to be able to easily find them if required.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs already - Ad-aware, Spybot and CWShredder. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Please configure CleanUp with the following settings:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lcdjgeuvhwvz.net/Zl32Eqj...iV26VvmT9l.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

Restart into normal mode.

Download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
Click On 'Scan Now'
Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
If it finds any malware, it will offer you a report. Click on see report
Then click Save report
Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Next, run new scan in HJT and post the log here.

Jim Baker · 08-19-2005, 06:58 PM

2005-08-19, 20:20:30, Auto-clean mode specified.
2005-08-19, 20:20:30, Running scanner "C:\Documents and Settings\Owner\Desktop\TSC.BIN"...
2005-08-19, 20:20:37, Scanner "C:\Documents and Settings\Owner\Desktop\TSC.BIN" has finished running.
2005-08-19, 20:20:37, TSC Log:

2005-08-19, 20:20:56, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat": Access is denied.
2005-08-19, 20:20:56, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat": Access is denied.
2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat.LOG": Access is denied.
2005-08-19, 20:21:58, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-19, 20:21:58, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-19, 20:24:01, An error occurred while scanning file "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll": Access is denied.
2005-08-19, 20:24:01, An error occurred while scanning file "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll": Access is denied.
2005-08-19, 20:27:56, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-08-19, 20:29:43, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB833987$\sxs.dll": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\ALG.EXE-275708CF.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\LEXBCES.EXE-26095C66.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\LUCOMS~2.EXE-1BD49A57.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\MSMSGS.EXE-0620E8B3.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\SSSTARS.SCR-3464C062.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-2AD83BC3.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-35139AF2.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN[1].COM-2310451F.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.BIN-1B6597C9.pf": Access is denied.
2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf": Access is denied.
2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-08-19, 20:34:52, Running scanner "C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN"...
2005-08-19, 20:34:53, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/19/2005 20:34:53
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.*

2005-08-19, 20:34:53, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/19/2005 20:34:53
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.*

2005-08-19, 20:34:53, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/19/2005 20:34:53
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.*

2005-08-19, 20:34:53, Scanner "C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN" has finished running.
2005-08-19, 20:37:46, Running scanner "C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN"...
2005-08-19, 20:37:47, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/19/2005 20:37:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.*

2005-08-19, 20:37:47, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/19/2005 20:37:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.*

2005-08-19, 20:37:47, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/19/2005 20:37:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.*

2005-08-19, 20:37:47, Scanner "C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN" has finished running.

I will run Panda now and post the report. Jim

Jim Baker · 08-19-2005, 09:20 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:15:51 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.krbzpwepgphvhspethm.net/Z...V26VvmT9l.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

This is a sticky one. Jim

tetonbob · 08-19-2005, 09:58 PM

Hi Jim -

Still need the Panda ActiveScan log, please....the output from the TrendMicro scan is not what I expected....not the proper data. Is it the Antispyware.log?

I see you have Ewido on your system. Make sure it is the latest version.

http://www.ewido.net/en/download/

Update it's definitions, reboot into safe mode and run Ewido with the following settings:

Click on scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.

Reboot into normal mode now.

Also, let's do this:

Open up HijackThis and go to Config->Misc Tools and check the first two boxes there. Now click on the 'Generate StartupList log' button. Post that log in your next post.

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Jim Baker · 08-19-2005, 10:47 PM

I have the wrong one. I will locate it and run the scan again. This is frustrating. I am learning alot and appreciate the time. Jim

Jim Baker · 08-20-2005, 12:41 AM

Logfile of HijackThis v1.99.1
Scan saved at 2:11:52 AM, on 8/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jmttzrjycrmyxjotskz.com/Z...V26VvmT9l.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]
"Microsoft Works Update Detection" = "c:\Program Files\Microsoft Works\WkDetect.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]

Enabled Scheduled Tasks:
------------------------

"AAA201F095ADB9CC" -> launches: "c:\docume~1\owner\applic~1\online~1\Up acid debug.exe" [null data]
"Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = "&hp toolkit" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{72F46506-69E8-4B2A-2C6B-F6AEECAFDF16}" = "bows great" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\LOGOBO~1\ford slow.dll" [file not found]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\ = "hp toolkit" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\ = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\ = "&hp toolkit"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 9 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 15 seconds.
---------- (total run time: 36 seconds)

Thanks Bob

tetonbob · 08-20-2005, 01:12 PM

Jim, Jim, Jim.... I want to help you, I really do, and I understand your frustration. To best do that, I require all the information I've asked for in front of me at the same time.......or we can be chasing sprites. Not all our tools see the same things, and I know we've got some nasties hiding, so it's best to wait to post until all instructions have been completed, and all logs collected, unless there are problems along the way which need attention.

Please apply this fix, and then follow the instructions at the end.

All right, here we go:

Reboot to safe mode.

Go to C:\windows\tasks and have a look.

Do you see this task ?

AAA201F095ADB9CC

If you do, delete it. If not, do the following:

Most likely it is invisible and needs to be unhidden.

Click Start>run and type cmd to open a command prompt, paste in this command then press enter.

attrib -s -h -r C:\windows\tasks\*.job

Close the command prompt and open the windows\tasks folder.

Delete this task:

AAA201F095ADB9CC

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{72F46506-69E8-4B2A-2C6B-F6AEECAFDF16}"

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jmttzrjycrmyxjotskz.com/...iV26VvmT9l.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

Search for and delete the following files in bold:

c:\docume~1\owner\applic~1\online~1
C:\PROGRA~1\LOGOBO~1

Restart and run a new HijackThis scan. Save the log file and post it here.

I would like one post with fresh logs from the following, please:

Panda ActiveScan
HJT Startup List
SilentRunners
HJT scan

Please wait until you have run all the scans and collected all the logs before posting your results.

Jim Baker · 08-21-2005, 08:43 AM

TetonBob: I wasn't quite sure if you wanted all the logs because in one place the directions said to paste the first log here and the next line the directions said ONLY wanted the last log. So I did both. I hope this doesn't confuse matters. I am running Panda ActiveScan as I type. I still have the hijacker running my browser. Is it ok to keep removing it using OmegaKiller and Highjack this? Jim
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=RIVERMEDE
Time=Sat Aug 20 13:22:39 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

--------------------------------- Anti-Spyware session ended ---------------------------------

--------------------------------- Anti-Spyware session started ---------------------------------
Machine=RIVERMEDE
Time=Sat Aug 20 13:23:12 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
Program Startup Areas: Found 'film 2' in 'S-1-5-21-96703917-4210259494-4108073714-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=RIVERMEDE
Time=Sat Aug 20 13:28:26 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

--------------------------------- Anti-Spyware session started ---------------------------------
Machine=RIVERMEDE
Time=Sat Aug 20 13:29:13 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Finished Scanning
Started Cleaning
--------------------------------- Anti-Spyware session ended ---------------------------------

Internet Explorer/MSN/AOL Cache
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=RIVERMEDE
Time=Sat Aug 20 18:49:43 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Internet Explorer/MSN/AOL Cache
Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in ''
Internet Browser History
Delete History Items on Startup: Cleaned 'Internet Browser History' in ''
AOL URL History
Delete History Items on Startup: Cleaned 'AOL URL History' in ''
Media Player history
Delete History Items on Startup: Cleaned 'Media Player history' in ''
RealPlayer History
Delete History Items on Startup: Cleaned 'RealPlayer History' in ''
Windows common dialog recently used file list
Delete History Items on Startup: Cleaned 'Windows common dialog recently used file list' in ''
Windows Search History
Delete History Items on Startup: Cleaned 'Windows Search History' in ''
Windows Temp Files
Delete History Items on Startup: Cleaned 'Windows Temp Files' in ''
Windows Document History
Delete History Items on Startup: Cleaned 'Windows Document History' in ''
Windows Run History
Delete History Items on Startup: Cleaned 'Windows Run History' in ''
Recycle Bin
Delete History Items on Startup: Cleaned 'Recycle Bin' in ''
MS Download Temp Directory
Delete History Items on Startup: Cleaned 'MS Download Temp Directory' in ''
Google Search History
Delete History Items on Startup: Cleaned 'Google Search History' in ''
Winzip Recent File List
Delete History Items on Startup: Cleaned 'Winzip Recent File List' in ''
Adobe Acrobat recent file list
Delete History Items on Startup: Cleaned 'Adobe Acrobat recent file list' in ''
Microsoft Word recent file list
Delete History Items on Startup: Cleaned 'Microsoft Word recent file list' in ''
Microsoft Excel recent file list
Delete History Items on Startup: Cleaned 'Microsoft Excel recent file list' in ''
Microsoft PowerPoint recent file list
Delete History Items on Startup: Cleaned 'Microsoft PowerPoint recent file list' in ''
Microsoft Access recent file list
Delete History Items on Startup: Cleaned 'Microsoft Access recent file list' in ''
Internet Explorer Auto-complete data
Delete History Items on Startup: Cleaned 'Internet Explorer Auto-complete data' in ''
Jasc Paint Shop Pro History
Delete History Items on Startup: Cleaned 'Jasc Paint Shop Pro History' in ''
AOL Instant Messenger Recent Users
Delete History Items on Startup: Cleaned 'AOL Instant Messenger Recent Users' in ''
AOL Instant Messenger Download Folder
Delete History Items on Startup: Cleaned 'AOL Instant Messenger Download Folder' in ''
Yahoo Messenger User Profiles
Delete History Items on Startup: Cleaned 'Yahoo Messenger User Profiles' in ''
Yahoo Messenger Transaction Log
Delete History Items on Startup: Cleaned 'Yahoo Messenger Transaction Log' in ''
Cookies
Delete History Items on Startup: Cleaned 'Cookies' in ''
Started Scanning
Programs in Memory
Finished Scanning
Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=RIVERMEDE
Time=Sat Aug 20 19:03:45 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Files and Directories: Found 'ijl11.dll' in 'C:\Program Files\Common Files\Logitech\QCDriver'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Files and Directories: Cleaned 'ijl11.dll' in 'C:\Program Files\Common Files\Logitech\QCDriver'
Finished Cleaning
Started Cleaning
Internet Explorer/MSN/AOL Cache
Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in ''
Internet Browser History
Delete History Items on Startup: Cleaned 'Internet Browser History' in ''
AOL URL History
Delete History Items on Startup: Cleaned 'AOL URL History' in ''
Media Player history
Delete History Items on Startup: Cleaned 'Media Player history' in ''
RealPlayer History
Delete History Items on Startup: Cleaned 'RealPlayer History' in ''
Windows common dialog recently used file list
Delete History Items on Startup: Cleaned 'Windows common dialog recently used file list' in ''
Windows Search History
Delete History Items on Startup: Cleaned 'Windows Search History' in ''
Windows Temp Files
Delete History Items on Startup: Cleaned 'Windows Temp Files' in ''
Windows Document History
Delete History Items on Startup: Cleaned 'Windows Document History' in ''
Windows Run History
Delete History Items on Startup: Cleaned 'Windows Run History' in ''
Recycle Bin
Delete History Items on Startup: Cleaned 'Recycle Bin' in ''
Start Menu Order/Click History
Delete History Items on Startup: Cleaned 'Start Menu Order/Click History' in ''
MS Download Temp Directory
Delete History Items on Startup: Cleaned 'MS Download Temp Directory' in ''
Google Search History
Delete History Items on Startup: Cleaned 'Google Search History' in ''
Winzip Recent File List
Delete History Items on Startup: Cleaned 'Winzip Recent File List' in ''
Adobe Acrobat recent file list
Delete History Items on Startup: Cleaned 'Adobe Acrobat recent file list' in ''
Microsoft Word recent file list
Delete History Items on Startup: Cleaned 'Microsoft Word recent file list' in ''
Microsoft Excel recent file list
Delete History Items on Startup: Cleaned 'Microsoft Excel recent file list' in ''
Microsoft PowerPoint recent file list
Delete History Items on Startup: Cleaned 'Microsoft PowerPoint recent file list' in ''
Microsoft Access recent file list
Delete History Items on Startup: Cleaned 'Microsoft Access recent file list' in ''
Internet Explorer Auto-complete data
Delete History Items on Startup: Cleaned 'Internet Explorer Auto-complete data' in ''
Jasc Paint Shop Pro History
Delete History Items on Startup: Cleaned 'Jasc Paint Shop Pro History' in ''
AOL Instant Messenger Recent Users
Delete History Items on Startup: Cleaned 'AOL Instant Messenger Recent Users' in ''
AOL Instant Messenger Download Folder
Delete History Items on Startup: Cleaned 'AOL Instant Messenger Download Folder' in ''
Yahoo Messenger User Profiles
Delete History Items on Startup: Cleaned 'Yahoo Messenger User Profiles' in ''
Yahoo Messenger Transaction Log
Delete History Items on Startup: Cleaned 'Yahoo Messenger Transaction Log' in ''
Cookies
Delete History Items on Startup: Cleaned 'Cookies' in ''
Finished Cleaning
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=RIVERMEDE
Time=Sat Aug 20 21:58:58 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Internet Explorer/MSN/AOL Cache
Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in ''
Internet Browser History
Delete History Items on Startup: Cleaned 'Internet Browser History' in ''
AOL URL History
Delete History Items on Startup: Cleaned 'AOL URL History' in ''
Media Player history
Delete History Items on Startup: Cleaned 'Media Player history' in ''
RealPlayer History
Delete History Items on Startup: Cleaned 'RealPlayer History' in ''
Windows common dialog recently used file list
Delete History Items on Startup: Cleaned 'Windows common dialog recently used file list' in ''
Windows Search History
Delete History Items on Startup: Cleaned 'Windows Search History' in ''
Windows Temp Files
Delete History Items on Startup: Cleaned 'Windows Temp Files' in ''
Windows Document History
Delete History Items on Startup: Cleaned 'Windows Document History' in ''
Windows Run History
Delete History Items on Startup: Cleaned 'Windows Run History' in ''
Recycle Bin
Delete History Items on Startup: Cleaned 'Recycle Bin' in ''
Start Menu Order/Click History
Delete History Items on Startup: Cleaned 'Start Menu Order/Click History' in ''
MS Download Temp Directory
Delete History Items on Startup: Cleaned 'MS Download Temp Directory' in ''
Google Search History
Delete History Items on Startup: Cleaned 'Google Search History' in ''
Winzip Recent File List
Delete History Items on Startup: Cleaned 'Winzip Recent File List' in ''
Adobe Acrobat recent file list
Delete History Items on Startup: Cleaned 'Adobe Acrobat recent file list' in ''
Microsoft Word recent file list
Delete History Items on Startup: Cleaned 'Microsoft Word recent file list' in ''
Microsoft Excel recent file list
Delete History Items on Startup: Cleaned 'Microsoft Excel recent file list' in ''
Microsoft PowerPoint recent file list
Delete History Items on Startup: Cleaned 'Microsoft PowerPoint recent file list' in ''
Microsoft Access recent file list
Delete History Items on Startup: Cleaned 'Microsoft Access recent file list' in ''
Internet Explorer Auto-complete data
Delete History Items on Startup: Cleaned 'Internet Explorer Auto-complete data' in ''
Jasc Paint Shop Pro History
Delete History Items on Startup: Cleaned 'Jasc Paint Shop Pro History' in ''
AOL Instant Messenger Recent Users
Delete History Items on Startup: Cleaned 'AOL Instant Messenger Recent Users' in ''
AOL Instant Messenger Download Folder
Delete History Items on Startup: Cleaned 'AOL Instant Messenger Download Folder' in ''
Yahoo Messenger User Profiles
Delete History Items on Startup: Cleaned 'Yahoo Messenger User Profiles' in ''
Yahoo Messenger Transaction Log
Delete History Items on Startup: Cleaned 'Yahoo Messenger Transaction Log' in ''
Cookies
Delete History Items on Startup: Cleaned 'Cookies' in ''
Started Scanning
Programs in Memory
Finished Scanning
Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=RIVERMEDE
Time=Sat Aug 20 22:15:41 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Internet Explorer/MSN/AOL Cache
Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in ''
Internet Browser History
Delete History Items on Startup: Cleaned 'Internet Browser History' in ''
AOL URL History
Delete History Items on Startup: Cleaned 'AOL URL History' in ''
Media Player history
Delete History Items on Startup: Cleaned 'Media Player history' in ''
RealPlayer History
Delete History Items on Startup: Cleaned 'RealPlayer History' in ''
Windows common dialog recently used file list
Delete History Items on Startup: Cleaned 'Windows common dialog recently used file list' in ''
Windows Search History
Delete History Items on Startup: Cleaned 'Windows Search History' in ''
Windows Temp Files
Delete History Items on Startup: Cleaned 'Windows Temp Files' in ''
Windows Document History
Delete History Items on Startup: Cleaned 'Windows Document History' in ''
Windows Run History
Delete History Items on Startup: Cleaned 'Windows Run History' in ''
Recycle Bin
Delete History Items on Startup: Cleaned 'Recycle Bin' in ''
Start Menu Order/Click History
Delete History Items on Startup: Cleaned 'Start Menu Order/Click History' in ''
MS Download Temp Directory
Delete History Items on Startup: Cleaned 'MS Download Temp Directory' in ''
Google Search History
Delete History Items on Startup: Cleaned 'Google Search History' in ''
Winzip Recent File List
Delete History Items on Startup: Cleaned 'Winzip Recent File List' in ''
Adobe Acrobat recent file list
Delete History Items on Startup: Cleaned 'Adobe Acrobat recent file list' in ''
Microsoft Word recent file list
Delete History Items on Startup: Cleaned 'Microsoft Word recent file list' in ''
Microsoft Excel recent file list
Delete History Items on Startup: Cleaned 'Microsoft Excel recent file list' in ''
Microsoft PowerPoint recent file list
Delete History Items on Startup: Cleaned 'Microsoft PowerPoint recent file list' in ''
Microsoft Access recent file list
Delete History Items on Startup: Cleaned 'Microsoft Access recent file list' in ''
Internet Explorer Auto-complete data
Delete History Items on Startup: Cleaned 'Internet Explorer Auto-complete data' in ''
Jasc Paint Shop Pro History
Delete History Items on Startup: Cleaned 'Jasc Paint Shop Pro History' in ''
AOL Instant Messenger Recent Users
Delete History Items on Startup: Cleaned 'AOL Instant Messenger Recent Users' in ''
AOL Instant Messenger Download Folder
Delete History Items on Startup: Cleaned 'AOL Instant Messenger Download Folder' in ''
Yahoo Messenger User Profiles
Delete History Items on Startup: Cleaned 'Yahoo Messenger User Profiles' in ''
Yahoo Messenger Transaction Log
Delete History Items on Startup: Cleaned 'Yahoo Messenger Transaction Log' in ''
Cookies
Delete History Items on Startup: Cleaned 'Cookies' in ''
Started Scanning
Programs in Memory
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=RIVERMEDE
Time=Sat Aug 20 22:17:59 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Finished Scanning
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning
Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Started Scanning
CoolWebSearch Variants (CWShredder)
Finished Scanning
Started Cleaning
Internet Explorer/MSN/AOL Cache
Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in ''
Internet Browser History
Delete History Items on Startup: Cleaned 'Internet Browser History' in ''
AOL URL History
Delete History Items on Startup: Cleaned 'AOL URL History' in ''
Media Player history
Delete History Items on Startup: Cleaned 'Media Player history' in ''
RealPlayer History
Delete History Items on Startup: Cleaned 'RealPlayer History' in ''
Windows common dialog recently used file list
Delete History Items on Startup: Cleaned 'Windows common dialog recently used file list' in ''
Windows Search History
Delete History Items on Startup: Cleaned 'Windows Search History' in ''
Windows Temp Files
Delete History Items on Startup: Cleaned 'Windows Temp Files' in ''
Windows Document History
Delete History Items on Startup: Cleaned 'Windows Document History' in ''
Windows Run History
Delete History Items on Startup: Cleaned 'Windows Run History' in ''
Recycle Bin
Delete History Items on Startup: Cleaned 'Recycle Bin' in ''
Start Menu Order/Click History
Delete History Items on Startup: Cleaned 'Start Menu Order/Click History' in ''
MS Download Temp Directory
Delete History Items on Startup: Cleaned 'MS Download Temp Directory' in ''
Google Search History
Delete History Items on Startup: Cleaned 'Google Search History' in ''
Winzip Recent File List
Delete History Items on Startup: Cleaned 'Winzip Recent File List' in ''
Adobe Acrobat recent file list
Delete History Items on Startup: Cleaned 'Adobe Acrobat recent file list' in ''
Microsoft Word recent file list
Delete History Items on Startup: Cleaned 'Microsoft Word recent file list' in ''
Microsoft Excel recent file list
Delete History Items on Startup: Cleaned 'Microsoft Excel recent file list' in ''
Microsoft PowerPoint recent file list
Delete History Items on Startup: Cleaned 'Microsoft PowerPoint recent file list' in ''
Microsoft Access recent file list
Delete History Items on Startup: Cleaned 'Microsoft Access recent file list' in ''
Internet Explorer Auto-complete data
Delete History Items on Startup: Cleaned 'Internet Explorer Auto-complete data' in ''
Jasc Paint Shop Pro History
Delete History Items on Startup: Cleaned 'Jasc Paint Shop Pro History' in ''
AOL Instant Messenger Recent Users
Delete History Items on Startup: Cleaned 'AOL Instant Messenger Recent Users' in ''
AOL Instant Messenger Download Folder
Delete History Items on Startup: Cleaned 'AOL Instant Messenger Download Folder' in ''
Yahoo Messenger User Profiles
Delete History Items on Startup: Cleaned 'Yahoo Messenger User Profiles' in ''
Yahoo Messenger Transaction Log
Delete History Items on Startup: Cleaned 'Yahoo Messenger Transaction Log' in ''
Cookies
Delete History Items on Startup: Cleaned 'Cookies' in ''
Finished Cleaning

Jim Baker · 08-21-2005, 08:56 AM

TetonBob: I have continued to use OmegaKiller and it is helpful to give me temporary control of my browser. Here is the Panda Logs. Jim
Incident Status Location

Adware:adware/tvmedia No disinfected C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\tvmcwrd.dll
Security Risk:application/eblasterNo disinfected C:\WINDOWS\SYSTEM32\ocxdrv32.dll
Adware:adware/sidestep No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe027.dll
Adware:adware/blazefind No disinfected Windows Registry
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug\AXIS COMP.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug\film fork.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug\mealhope.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug\Setup Byte.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\7k15.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\ace enc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\aqbdeibi.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\eapomnlh.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\kpjdzzlj.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\This user each mode.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\Up acid debug.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\viotouui.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\xubvgsrt.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124511888.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124512668.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124553375.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124553937.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124578333.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124589970.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124597326.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124382184.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124382188.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124382190.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124442309.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124442312.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\downloader.hc1124382181.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\downloader.hc1124441665.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124379851.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381039.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381116.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381194.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381336.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382181.dl_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382181.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382188.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382190.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124395468.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441665.dl_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441665.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441832.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441937.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441998.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442043.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442073.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442119.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442164.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442212.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442255.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442299.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442349.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442392.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442438.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442487.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442528.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442586.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442630.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442669.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442710.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442750.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442788.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442825.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442883.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442926.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442973.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124443008.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124476265.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124478043.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\yzfkrdjq.exe
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\downloader.hc1124334090.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124334090.dl_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124334090.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124341340.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124341399.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124346308.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124348736.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124348957.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349021.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349033.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349045.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349057.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349069.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349083.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349095.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349107.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349120.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349132.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349143.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349155.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349206.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349218.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349228.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349256.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349266.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349277.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349657.ex_
Security Risk:Application/EblasterNo disinfected C:\WINDOWS\system32\msrac32.dll Thanks TetonBob - Jim Baker

tetonbob · 08-21-2005, 03:17 PM

Hi Jim -

This is a new variant of LOP infection, and I have a new tool to use to help us ID the hidden sources of the infection.

Copy these instructions to Notepad. Follow these instructions only at this point, in the order given, and provide only the logs asked for in this post, please.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Download Killbox from one of these locations:

http://www.greyknight17.com/spy/KillBox.exe
http://www.downloads.subratam.org/KillBox.zip
http://www.atribune.org/downloads/KillBox.exe

C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\tvmcwrd.dll
C:\WINDOWS\SYSTEM32\ocxdrv32.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe027.dll
C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug
C:\Documents and Settings\Owner\7k15.exe
C:\Documents and Settings\Owner\Application Data\OnlineLoad
C:\WINDOWS\system32\msrac32.dll

Select/Highlight all the filename(s) from the above.
Copy to clipboard by pressing [CTRL]+[C] on your keyboard.
Start KillBox.exe

Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
- Delete on Reboot
- Unregister.dll Before Deleting * if it's not grayed out
Click the RED X button.
Click Yes at the 'Delete on Reboot' prompt.
Click Yes at the 'Pending Operations prompt'.

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.

Allow your system to reboot into normal mode.

Please configure CleanUp with the following settings:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Delete the contents of the following folders, but not the folders (let me know if there is known good data (yours) stored in these locations):

C:\Program Files\OmegaKiller1[1].2\backup
C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup

Download Findlop. Unzip it to your desktop.
Double click fl.bat. It will open a notepad file.
Copy the contents of that file and past it here in your reply.

Run a scan with HJT, save the log and post it here.

So, I need a log from:

HJT
fl.bat

Jim Baker · 08-22-2005, 11:05 PM

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AAA201F095ADB9CC.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\owner\applic~1\online~1\Up acid debug.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Owner'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 08/23/2005 0:00:00
NextRun: 08/23/2005 1:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/21/1997
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Norton AntiVirus - Scan my computer - Owner.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\PROGRA~1\NORTON~1\Navw32.exe'
Parameters: '/task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"'
WorkingDirectory: ''
Comment: 'This is a schedule scan task from Norton AntiVirus.'
Creator: 'Owner'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 08/12/2005 20:00:00
NextRun: 08/26/2005 20:00:00
StartError: S_OK
ExitCode: 0x1
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 08/11/2005
EndDate: 00/00/0000
StartTime: 20:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Owner'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 08/22/2005 21:38:00
NextRun: 08/23/2005 1:49:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 08/23/2005
EndDate: 00/00/0000
StartTime: 01:49
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Logfile of HijackThis v1.99.1
Scan saved at 1:02:47 AM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rrwciwzbcplqwsbgehn.us/Zl...iV26VvmT9l.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

sUBs · 08-23-2005, 12:10 AM

Go Start -> Run and type CMD - black command window will open.

In the command window, type:

schtasks /delete /TN AAA201F095ADB9CC /F <Press Enter>

exit <Press Enter>

Close the command window again.

Locate & delete this folder:

C:\Documents and Settings\Owner\Application Data\\online~1\

Have Hijackthis fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rrwciwzbcplqwsbgehn.us/Z...wiV26VvmT9l.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

Reboot & post fresh logs from fl.bat & HJT

Jim Baker · 08-23-2005, 09:01 AM

I followed the directions as you suggested and the word schtasks was not a valid name, then I entered C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\\ONLINE~1\
in the run window and it doesn't exist. Is there another way to find out if the file exists? Other options? Jim

sUBs · 08-23-2005, 09:26 AM

Let's try finding the miscreant again.

Download this revised program - fl.zip. Unzip it to your desktop.
Double click the new fl.bat. It will open a notepad file.
Copy the contents of that file and paste it here in your reply.

I would also require a new HJT log

Thanks

Jim Baker · 08-23-2005, 09:38 AM

Someone else contacted me via this page and gave a list of tasks to do. Is this person for real? Suddenly I was attacked by over 40 different programs tried to download on my computer. From Allaboutsearching to crap.com? My SpyWare Sweeper notified me and I removed them. Unbelieveable! I don't know how to find the log on spyware sweeper but I think you would benefit from seeing it. Just incrediable. Jim

Jim Baker · 08-23-2005, 09:56 AM

I clicked on fl.zip and was refused entry. Searched and found it on the net. Downloaded it but when opened nothing happens. Just a bunch of files. Removed it. Suggestion? Jim

Download this revised program - fl.zip. Unzip it to your desktop.
Double click the new fl.bat. It will open a notepad file.
Copy the contents of that file and paste it here in your reply.

I would also require a new HJT log

tetonbob · 08-23-2005, 09:59 AM

Jim -

sUBs knows what he's doing.....until we get this LOP infection removed, it will continue to call out to all of it's friends to join the party on your system.

You should have Hidden Files viewable at this point. Just to be sure, do this:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Now, you should be able to manually naviagate to c:\documents and settings\owner\application data\online~1 <<<<this will be a folder which begins with online. Let us know if you can see it, coz it's there....if you find it....delete it. Let us know if it presents problems in deletion. If so, there are other ways to get it.

Please run the bat file sUBs just linked you to, and post the results.

sUBs · 08-23-2005, 10:10 AM

I just realised that he's been unable to download the file bcos it's located in a part of the forum where he doesnt have access to.

You may download it from this alternate url > http://www.fbeej.ctrlaltdel.dk/Programmer/fl.zip

tetonbob · 08-23-2005, 10:43 AM

Also, Jim...sorry for the mixup in the link....I have a question. Are you using XP Home edition, or XP Professional, do you know?

08-18-2005, 03:17 PM	#1 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	Search200 problem can you help please? I am so thankful for techsupportforum! Going crazy with this mean little trojan. I have downloaded and run Omegakiller, Hijackthis, and I have updated versions of Norton2005, Spy Sweeper, SpywareBlaster, Spybot. My system is XP. I can remove the trojan but it comes back. My Spy Sweeper let's me know it is back and trying to hijack my browser again. Then I run Omegakiller and Hijackthis and remove it. If I run OmegaKiller five or six times and remove the file with Hijackthis it doesn't come back as quickly. Here is my log from Hijackthis. Logfile of HijackThis v1.99.1 Scan saved at 12:48:04 PM, on 8/18/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\explorer.exe c:\progra~1\intern~1\iexplore.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lcdjgeuvhwvz.net/Zl32Eqju...V26VvmT9l.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Thank you for your help. Jim Baker

08-18-2005, 06:08 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,179 OS: 2000 Pro; XP Pro; XP Home	Hi Jim, and Welcome to TSF! You've got a little LOP infection, let's see what we can do to clean it up. Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Desktop. This is required because HijackThis will create backups and we want to be able to easily find them if required. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Make sure you downloaded, installed, updated and ran these programs already - Ad-aware, Spybot and CWShredder. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! Please configure CleanUp with the following settings: Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck* this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lcdjgeuvhwvz.net/Zl32Eqj...iV26VvmT9l.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Restart into normal mode. Download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop (tmas-web-scan.exe) It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it Click On 'Scan Now' Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB Begin the scan by selecting My Computer * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. If it finds any malware, it will offer you a report. Click on see report Then click Save report Post the contents of the report in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Next, run new scan in HJT and post the log here. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-19-2005, 06:58 PM	#3 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	Here are the logs from Trend Micro 2005-08-19, 20:20:30, Auto-clean mode specified. 2005-08-19, 20:20:30, Running scanner "C:\Documents and Settings\Owner\Desktop\TSC.BIN"... 2005-08-19, 20:20:37, Scanner "C:\Documents and Settings\Owner\Desktop\TSC.BIN" has finished running. 2005-08-19, 20:20:37, TSC Log: 2005-08-19, 20:20:56, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat": Access is denied. 2005-08-19, 20:20:56, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied. 2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied. 2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied. 2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied. 2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied. 2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied. 2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied. 2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat": Access is denied. 2005-08-19, 20:20:57, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat.LOG": Access is denied. 2005-08-19, 20:21:58, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied. 2005-08-19, 20:21:58, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied. 2005-08-19, 20:24:01, An error occurred while scanning file "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll": Access is denied. 2005-08-19, 20:24:01, An error occurred while scanning file "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll": Access is denied. 2005-08-19, 20:27:56, An error was detected on "C:\System Volume Information\.": Access is denied. 2005-08-19, 20:29:43, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB833987$\sxs.dll": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\ALG.EXE-275708CF.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\LEXBCES.EXE-26095C66.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\LUCOMS~2.EXE-1BD49A57.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\MSMSGS.EXE-0620E8B3.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\SSSTARS.SCR-3464C062.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-2AD83BC3.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-35139AF2.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN[1].COM-2310451F.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.BIN-1B6597C9.pf": Access is denied. 2005-08-19, 20:31:53, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf": Access is denied. 2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied. 2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied. 2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied. 2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied. 2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied. 2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied. 2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied. 2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied. 2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied. 2005-08-19, 20:33:37, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied. 2005-08-19, 20:34:52, Running scanner "C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN"... 2005-08-19, 20:34:53, Files Detected: Copyright (c) 1990 - 2004 Trend Micro Inc. Report Date : 8/19/2005 20:34:53 VSAPI Engine Version : 7.510-1002 VSCANTM Version : 1.1-1001 Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\. 2005-08-19, 20:34:53, Files Clean: Copyright (c) 1990 - 2004 Trend Micro Inc. Report Date : 8/19/2005 20:34:53 VSAPI Engine Version : 7.510-1002 VSCANTM Version : 1.1-1001 Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\. 2005-08-19, 20:34:53, Clean Fail: Copyright (c) 1990 - 2004 Trend Micro Inc. Report Date : 8/19/2005 20:34:53 VSAPI Engine Version : 7.510-1002 VSCANTM Version : 1.1-1001 Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\. 2005-08-19, 20:34:53, Scanner "C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN" has finished running. 2005-08-19, 20:37:46, Running scanner "C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN"... 2005-08-19, 20:37:47, Files Detected: Copyright (c) 1990 - 2004 Trend Micro Inc. Report Date : 8/19/2005 20:37:47 VSAPI Engine Version : 7.510-1002 VSCANTM Version : 1.1-1001 Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\. 2005-08-19, 20:37:47, Files Clean: Copyright (c) 1990 - 2004 Trend Micro Inc. Report Date : 8/19/2005 20:37:47 VSAPI Engine Version : 7.510-1002 VSCANTM Version : 1.1-1001 Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\. 2005-08-19, 20:37:47, Clean Fail: Copyright (c) 1990 - 2004 Trend Micro Inc. Report Date : 8/19/2005 20:37:47 VSAPI Engine Version : 7.510-1002 VSCANTM Version : 1.1-1001 Command Line: C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\. 2005-08-19, 20:37:47, Scanner "C:\Documents and Settings\Owner\Desktop\VSCANTM.BIN" has finished running. I will run Panda now and post the report. Jim

08-19-2005, 09:20 PM	#4 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	Panda logs Logfile of HijackThis v1.99.1 Scan saved at 11:15:51 PM, on 8/19/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Owner\Desktop\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.krbzpwepgphvhspethm.net/Z...V26VvmT9l.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe This is a sticky one. Jim

08-19-2005, 09:58 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,179 OS: 2000 Pro; XP Pro; XP Home	Hi Jim - Still need the Panda ActiveScan log, please....the output from the TrendMicro scan is not what I expected....not the proper data. Is it the Antispyware.log? I see you have Ewido on your system. Make sure it is the latest version. http://www.ewido.net/en/download/ Update it's definitions, reboot into safe mode and run Ewido with the following settings: Click on scanner Click on Complete System Scan and the scan will begin. While the scan is in progress you will be prompted to clean files, click OK When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop. Now close ewido security suite. Reboot into normal mode now. Also, let's do this: Open up HijackThis and go to Config->Misc Tools and check the first two boxes there. Now click on the 'Generate StartupList log' button. Post that log in your next post. Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-19-2005, 10:47 PM	#6 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	Is it the Antispyware.log? I have the wrong one. I will locate it and run the scan again. This is frustrating. I am learning alot and appreciate the time. Jim

08-20-2005, 12:41 AM	#7 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	HIJ followed by Silentrunners - heading for bed now. Logfile of HijackThis v1.99.1 Scan saved at 2:11:52 AM, on 8/20/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jmttzrjycrmyxjotskz.com/Z...V26VvmT9l.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe "Silent Runners.vbs", revision 40, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."] "Microsoft Works Update Detection" = "c:\Program Files\Microsoft Works\WkDetect.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ "AppInit_DLLs" = (value not set) HKLM\Software\Classes\\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS] Enabled Scheduled Tasks: ------------------------ "AAA201F095ADB9CC" -> launches: "c:\docume~1\owner\applic~1\online~1\Up acid debug.exe" [null data] "Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"] "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 25 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = "&hp toolkit" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{72F46506-69E8-4B2A-2C6B-F6AEECAFDF16}" = "bows great" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\LOGOBO~1\ford slow.dll" [file not found] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {8F4902B6-6C04-4ADE-8052-AA58578A21BD}\ = "hp toolkit" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS] {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS] Dormant Explorer Bars in "View, Explorer Bar" menu HKLM\Software\Classes\CLSID\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\ = "MoneySide" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS] HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\ = "&hp toolkit" Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Missing lines (compared with English-language version): [Strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."] Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"] NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"] ---------- + This report excludes default entries except where indicated. + To see everywhere* the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 9 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 15 seconds. ---------- (total run time: 36 seconds) Thanks Bob

08-20-2005, 01:12 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,179 OS: 2000 Pro; XP Pro; XP Home	Jim, Jim, Jim.... I want to help you, I really do, and I understand your frustration. To best do that, I require all the information I've asked for in front of me at the same time.......or we can be chasing sprites. Not all our tools see the same things, and I know we've got some nasties hiding, so it's best to wait to post until all instructions have been completed, and all logs collected, unless there are problems along the way which need attention. Please apply this fix, and then follow the instructions at the end. All right, here we go: Reboot to safe mode. Go to C:\windows\tasks and have a look. Do you see this task ? AAA201F095ADB9CC If you do, delete it. If not, do the following: Most likely it is invisible and needs to be unhidden. Click Start>run and type cmd to open a command prompt, paste in this command then press enter. attrib -s -h -r C:\windows\tasks\.job Close the command prompt and open the windows\tasks folder. Delete this task: AAA201F095ADB9CC* Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{72F46506-69E8-4B2A-2C6B-F6AEECAFDF16}" If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jmttzrjycrmyxjotskz.com/...iV26VvmT9l.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Search for and delete the following files in bold: c:\docume~1\owner\applic~1\online~1 C:\PROGRA~1\LOGOBO~1 Restart and run a new HijackThis scan. Save the log file and post it here. I would like one post with fresh logs from the following, please: Panda ActiveScan HJT Startup List SilentRunners HJT scan Please wait until you have run all the scans and collected all the logs before posting your results. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-21-2005, 08:43 AM	#9 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	Log Files Pasted In TetonBob: I wasn't quite sure if you wanted all the logs because in one place the directions said to paste the first log here and the next line the directions said ONLY wanted the last log. So I did both. I hope this doesn't confuse matters. I am running Panda ActiveScan as I type. I still have the hijacker running my browser. Is it ok to keep removing it using OmegaKiller and Highjack this? Jim --------------------------------- Anti-Spyware session started --------------------------------- Machine=RIVERMEDE Time=Sat Aug 20 13:22:39 2005 Product Version=3, 0, 1, 22 OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) --------------------------------- Anti-Spyware session ended --------------------------------- --------------------------------- Anti-Spyware session started --------------------------------- Machine=RIVERMEDE Time=Sat Aug 20 13:23:12 2005 Product Version=3, 0, 1, 22 OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) Started Scanning Programs in Memory Finished Scanning Program Startup Areas: Found 'film 2' in 'S-1-5-21-96703917-4210259494-4108073714-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' Started Scanning Internet Cookies CoolWebSearch Variants (CWShredder) Programs in Memory Windows Registry Internet URL Shortcuts Files and Directories --------------------------------- Anti-Spyware session started --------------------------------- Machine=RIVERMEDE Time=Sat Aug 20 13:28:26 2005 Product Version=3, 0, 1, 22 OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) --------------------------------- Anti-Spyware session started --------------------------------- Machine=RIVERMEDE Time=Sat Aug 20 13:29:13 2005 Product Version=3, 0, 1, 22 OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) Finished Scanning Started Cleaning --------------------------------- Anti-Spyware session ended --------------------------------- Internet Explorer/MSN/AOL Cache --------------------------------- Anti-Spyware session started --------------------------------- Machine=RIVERMEDE Time=Sat Aug 20 18:49:43 2005 Product Version=3, 0, 1, 22 OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) Internet Explorer/MSN/AOL Cache Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in '' Internet Browser History Delete History Items on Startup: Cleaned 'Internet Browser History' in '' AOL URL History Delete History Items on Startup: Cleaned 'AOL URL History' in '' Media Player history Delete History Items on Startup: Cleaned 'Media Player history' in '' RealPlayer History Delete History Items on Startup: Cleaned 'RealPlayer History' in '' Windows common dialog recently used file list Delete History Items on Startup: Cleaned 'Windows common dialog recently used file list' in '' Windows Search History Delete History Items on Startup: Cleaned 'Windows Search History' in '' Windows Temp Files Delete History Items on Startup: Cleaned 'Windows Temp Files' in '' Windows Document History Delete History Items on Startup: Cleaned 'Windows Document History' in '' Windows Run History Delete History Items on Startup: Cleaned 'Windows Run History' in '' Recycle Bin Delete History Items on Startup: Cleaned 'Recycle Bin' in '' MS Download Temp Directory Delete History Items on Startup: Cleaned 'MS Download Temp Directory' in '' Google Search History Delete History Items on Startup: Cleaned 'Google Search History' in '' Winzip Recent File List Delete History Items on Startup: Cleaned 'Winzip Recent File List' in '' Adobe Acrobat recent file list Delete History Items on Startup: Cleaned 'Adobe Acrobat recent file list' in '' Microsoft Word recent file list Delete History Items on Startup: Cleaned 'Microsoft Word recent file list' in '' Microsoft Excel recent file list Delete History Items on Startup: Cleaned 'Microsoft Excel recent file list' in '' Microsoft PowerPoint recent file list Delete History Items on Startup: Cleaned 'Microsoft PowerPoint recent file list' in '' Microsoft Access recent file list Delete History Items on Startup: Cleaned 'Microsoft Access recent file list' in '' Internet Explorer Auto-complete data Delete History Items on Startup: Cleaned 'Internet Explorer Auto-complete data' in '' Jasc Paint Shop Pro History Delete History Items on Startup: Cleaned 'Jasc Paint Shop Pro History' in '' AOL Instant Messenger Recent Users Delete History Items on Startup: Cleaned 'AOL Instant Messenger Recent Users' in '' AOL Instant Messenger Download Folder Delete History Items on Startup: Cleaned 'AOL Instant Messenger Download Folder' in '' Yahoo Messenger User Profiles Delete History Items on Startup: Cleaned 'Yahoo Messenger User Profiles' in '' Yahoo Messenger Transaction Log Delete History Items on Startup: Cleaned 'Yahoo Messenger Transaction Log' in '' Cookies Delete History Items on Startup: Cleaned 'Cookies' in '' Started Scanning Programs in Memory Finished Scanning Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main' Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main' Started Backup Finished Backup Started Cleaning Finished Cleaning Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main' --------------------------------- Anti-Spyware session started --------------------------------- Machine=RIVERMEDE Time=Sat Aug 20 19:03:45 2005 Product Version=3, 0, 1, 22 OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) Started Scanning Internet Cookies CoolWebSearch Variants (CWShredder) Programs in Memory Windows Registry Internet URL Shortcuts Files and Directories Files and Directories: Found 'ijl11.dll' in 'C:\Program Files\Common Files\Logitech\QCDriver' Finished Scanning Started Backup Finished Backup Started Cleaning Files and Directories: Cleaned 'ijl11.dll' in 'C:\Program Files\Common Files\Logitech\QCDriver' Finished Cleaning Started Cleaning Internet Explorer/MSN/AOL Cache Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in '' Internet Browser History Delete History Items on Startup: Cleaned 'Internet Browser History' in '' AOL URL History Delete History Items on Startup: Cleaned 'AOL URL History' in '' Media Player history Delete History Items on Startup: Cleaned 'Media Player history' in '' RealPlayer History Delete History Items on Startup: Cleaned 'RealPlayer History' in '' Windows common dialog recently used file list Delete History Items on Startup: Cleaned 'Windows common dialog recently used file list' in '' Windows Search History Delete History Items on Startup: Cleaned 'Windows Search History' in '' Windows Temp Files Delete History Items on Startup: Cleaned 'Windows Temp Files' in '' Windows Document History Delete History Items on Startup: Cleaned 'Windows Document History' in '' Windows Run History Delete History Items on Startup: Cleaned 'Windows Run History' in '' Recycle Bin Delete History Items on Startup: Cleaned 'Recycle Bin' in '' Start Menu Order/Click History Delete History Items on Startup: Cleaned 'Start Menu Order/Click History' in '' MS Download Temp Directory Delete History Items on Startup: Cleaned 'MS Download Temp Directory' in '' Google Search History Delete History Items on Startup: Cleaned 'Google Search History' in '' Winzip Recent File List Delete History Items on Startup: Cleaned 'Winzip Recent File List' in '' Adobe Acrobat recent file list Delete History Items on Startup: Cleaned 'Adobe Acrobat recent file list' in '' Microsoft Word recent file list Delete History Items on Startup: Cleaned 'Microsoft Word recent file list' in '' Microsoft Excel recent file list Delete History Items on Startup: Cleaned 'Microsoft Excel recent file list' in '' Microsoft PowerPoint recent file list Delete History Items on Startup: Cleaned 'Microsoft PowerPoint recent file list' in '' Microsoft Access recent file list Delete History Items on Startup: Cleaned 'Microsoft Access recent file list' in '' Internet Explorer Auto-complete data Delete History Items on Startup: Cleaned 'Internet Explorer Auto-complete data' in '' Jasc Paint Shop Pro History Delete History Items on Startup: Cleaned 'Jasc Paint Shop Pro History' in '' AOL Instant Messenger Recent Users Delete History Items on Startup: Cleaned 'AOL Instant Messenger Recent Users' in '' AOL Instant Messenger Download Folder Delete History Items on Startup: Cleaned 'AOL Instant Messenger Download Folder' in '' Yahoo Messenger User Profiles Delete History Items on Startup: Cleaned 'Yahoo Messenger User Profiles' in '' Yahoo Messenger Transaction Log Delete History Items on Startup: Cleaned 'Yahoo Messenger Transaction Log' in '' Cookies Delete History Items on Startup: Cleaned 'Cookies' in '' Finished Cleaning --------------------------------- Anti-Spyware session started --------------------------------- Machine=RIVERMEDE Time=Sat Aug 20 21:58:58 2005 Product Version=3, 0, 1, 22 OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) Internet Explorer/MSN/AOL Cache Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in '' Internet Browser History Delete History Items on Startup: Cleaned 'Internet Browser History' in '' AOL URL History Delete History Items on Startup: Cleaned 'AOL URL History' in '' Media Player history Delete History Items on Startup: Cleaned 'Media Player history' in '' RealPlayer History Delete History Items on Startup: Cleaned 'RealPlayer History' in '' Windows common dialog recently used file list Delete History Items on Startup: Cleaned 'Windows common dialog recently used file list' in '' Windows Search History Delete History Items on Startup: Cleaned 'Windows Search History' in '' Windows Temp Files Delete History Items on Startup: Cleaned 'Windows Temp Files' in '' Windows Document History Delete History Items on Startup: Cleaned 'Windows Document History' in '' Windows Run History Delete History Items on Startup: Cleaned 'Windows Run History' in '' Recycle Bin Delete History Items on Startup: Cleaned 'Recycle Bin' in '' Start Menu Order/Click History Delete History Items on Startup: Cleaned 'Start Menu Order/Click History' in '' MS Download Temp Directory Delete History Items on Startup: Cleaned 'MS Download Temp Directory' in '' Google Search History Delete History Items on Startup: Cleaned 'Google Search History' in '' Winzip Recent File List Delete History Items on Startup: Cleaned 'Winzip Recent File List' in '' Adobe Acrobat recent file list Delete History Items on Startup: Cleaned 'Adobe Acrobat recent file list' in '' Microsoft Word recent file list Delete History Items on Startup: Cleaned 'Microsoft Word recent file list' in '' Microsoft Excel recent file list Delete History Items on Startup: Cleaned 'Microsoft Excel recent file list' in '' Microsoft PowerPoint recent file list Delete History Items on Startup: Cleaned 'Microsoft PowerPoint recent file list' in '' Microsoft Access recent file list Delete History Items on Startup: Cleaned 'Microsoft Access recent file list' in '' Internet Explorer Auto-complete data Delete History Items on Startup: Cleaned 'Internet Explorer Auto-complete data' in '' Jasc Paint Shop Pro History Delete History Items on Startup: Cleaned 'Jasc Paint Shop Pro History' in '' AOL Instant Messenger Recent Users Delete History Items on Startup: Cleaned 'AOL Instant Messenger Recent Users' in '' AOL Instant Messenger Download Folder Delete History Items on Startup: Cleaned 'AOL Instant Messenger Download Folder' in '' Yahoo Messenger User Profiles Delete History Items on Startup: Cleaned 'Yahoo Messenger User Profiles' in '' Yahoo Messenger Transaction Log Delete History Items on Startup: Cleaned 'Yahoo Messenger Transaction Log' in '' Cookies Delete History Items on Startup: Cleaned 'Cookies' in '' Started Scanning Programs in Memory Finished Scanning Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main' --------------------------------- Anti-Spyware session started --------------------------------- Machine=RIVERMEDE Time=Sat Aug 20 22:15:41 2005 Product Version=3, 0, 1, 22 OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) Internet Explorer/MSN/AOL Cache Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in '' Internet Browser History Delete History Items on Startup: Cleaned 'Internet Browser History' in '' AOL URL History Delete History Items on Startup: Cleaned 'AOL URL History' in '' Media Player history Delete History Items on Startup: Cleaned 'Media Player history' in '' RealPlayer History Delete History Items on Startup: Cleaned 'RealPlayer History' in '' Windows common dialog recently used file list Delete History Items on Startup: Cleaned 'Windows common dialog recently used file list' in '' Windows Search History Delete History Items on Startup: Cleaned 'Windows Search History' in '' Windows Temp Files Delete History Items on Startup: Cleaned 'Windows Temp Files' in '' Windows Document History Delete History Items on Startup: Cleaned 'Windows Document History' in '' Windows Run History Delete History Items on Startup: Cleaned 'Windows Run History' in '' Recycle Bin Delete History Items on Startup: Cleaned 'Recycle Bin' in '' Start Menu Order/Click History Delete History Items on Startup: Cleaned 'Start Menu Order/Click History' in '' MS Download Temp Directory Delete History Items on Startup: Cleaned 'MS Download Temp Directory' in '' Google Search History Delete History Items on Startup: Cleaned 'Google Search History' in '' Winzip Recent File List Delete History Items on Startup: Cleaned 'Winzip Recent File List' in '' Adobe Acrobat recent file list Delete History Items on Startup: Cleaned 'Adobe Acrobat recent file list' in '' Microsoft Word recent file list Delete History Items on Startup: Cleaned 'Microsoft Word recent file list' in '' Microsoft Excel recent file list Delete History Items on Startup: Cleaned 'Microsoft Excel recent file list' in '' Microsoft PowerPoint recent file list Delete History Items on Startup: Cleaned 'Microsoft PowerPoint recent file list' in '' Microsoft Access recent file list Delete History Items on Startup: Cleaned 'Microsoft Access recent file list' in '' Internet Explorer Auto-complete data Delete History Items on Startup: Cleaned 'Internet Explorer Auto-complete data' in '' Jasc Paint Shop Pro History Delete History Items on Startup: Cleaned 'Jasc Paint Shop Pro History' in '' AOL Instant Messenger Recent Users Delete History Items on Startup: Cleaned 'AOL Instant Messenger Recent Users' in '' AOL Instant Messenger Download Folder Delete History Items on Startup: Cleaned 'AOL Instant Messenger Download Folder' in '' Yahoo Messenger User Profiles Delete History Items on Startup: Cleaned 'Yahoo Messenger User Profiles' in '' Yahoo Messenger Transaction Log Delete History Items on Startup: Cleaned 'Yahoo Messenger Transaction Log' in '' Cookies Delete History Items on Startup: Cleaned 'Cookies' in '' Started Scanning Programs in Memory --------------------------------- Anti-Spyware session started --------------------------------- Machine=RIVERMEDE Time=Sat Aug 20 22:17:59 2005 Product Version=3, 0, 1, 22 OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600) Finished Scanning Started Scanning Internet Cookies CoolWebSearch Variants (CWShredder) Programs in Memory Windows Registry Internet URL Shortcuts Files and Directories Finished Scanning Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main' Started Scanning CoolWebSearch Variants (CWShredder) Finished Scanning Started Cleaning Internet Explorer/MSN/AOL Cache Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in '' Internet Browser History Delete History Items on Startup: Cleaned 'Internet Browser History' in '' AOL URL History Delete History Items on Startup: Cleaned 'AOL URL History' in '' Media Player history Delete History Items on Startup: Cleaned 'Media Player history' in '' RealPlayer History Delete History Items on Startup: Cleaned 'RealPlayer History' in '' Windows common dialog recently used file list Delete History Items on Startup: Cleaned 'Windows common dialog recently used file list' in '' Windows Search History Delete History Items on Startup: Cleaned 'Windows Search History' in '' Windows Temp Files Delete History Items on Startup: Cleaned 'Windows Temp Files' in '' Windows Document History Delete History Items on Startup: Cleaned 'Windows Document History' in '' Windows Run History Delete History Items on Startup: Cleaned 'Windows Run History' in '' Recycle Bin Delete History Items on Startup: Cleaned 'Recycle Bin' in '' Start Menu Order/Click History Delete History Items on Startup: Cleaned 'Start Menu Order/Click History' in '' MS Download Temp Directory Delete History Items on Startup: Cleaned 'MS Download Temp Directory' in '' Google Search History Delete History Items on Startup: Cleaned 'Google Search History' in '' Winzip Recent File List Delete History Items on Startup: Cleaned 'Winzip Recent File List' in '' Adobe Acrobat recent file list Delete History Items on Startup: Cleaned 'Adobe Acrobat recent file list' in '' Microsoft Word recent file list Delete History Items on Startup: Cleaned 'Microsoft Word recent file list' in '' Microsoft Excel recent file list Delete History Items on Startup: Cleaned 'Microsoft Excel recent file list' in '' Microsoft PowerPoint recent file list Delete History Items on Startup: Cleaned 'Microsoft PowerPoint recent file list' in '' Microsoft Access recent file list Delete History Items on Startup: Cleaned 'Microsoft Access recent file list' in '' Internet Explorer Auto-complete data Delete History Items on Startup: Cleaned 'Internet Explorer Auto-complete data' in '' Jasc Paint Shop Pro History Delete History Items on Startup: Cleaned 'Jasc Paint Shop Pro History' in '' AOL Instant Messenger Recent Users Delete History Items on Startup: Cleaned 'AOL Instant Messenger Recent Users' in '' AOL Instant Messenger Download Folder Delete History Items on Startup: Cleaned 'AOL Instant Messenger Download Folder' in '' Yahoo Messenger User Profiles Delete History Items on Startup: Cleaned 'Yahoo Messenger User Profiles' in '' Yahoo Messenger Transaction Log Delete History Items on Startup: Cleaned 'Yahoo Messenger Transaction Log' in '' Cookies Delete History Items on Startup: Cleaned 'Cookies' in '' Finished Cleaning

08-21-2005, 08:56 AM	#10 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	Panda ActiveScan Logs TetonBob: I have continued to use OmegaKiller and it is helpful to give me temporary control of my browser. Here is the Panda Logs. Jim Incident Status Location Adware:adware/tvmedia No disinfected C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\tvmcwrd.dll Security Risk:application/eblasterNo disinfected C:\WINDOWS\SYSTEM32\ocxdrv32.dll Adware:adware/sidestep No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe027.dll Adware:adware/blazefind No disinfected Windows Registry Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug\AXIS COMP.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug\film fork.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug\mealhope.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug\Setup Byte.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\7k15.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\ace enc.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\aqbdeibi.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\eapomnlh.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\kpjdzzlj.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\This user each mode.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\Up acid debug.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\viotouui.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Application Data\OnlineLoad\xubvgsrt.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124511888.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124512668.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124553375.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124553937.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124578333.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124589970.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124597326.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124382184.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124382188.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124382190.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124442309.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124442312.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\downloader.hc1124382181.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\downloader.hc1124441665.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124379851.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381039.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381116.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381194.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381336.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382181.dl_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382181.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382188.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382190.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124395468.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441665.dl_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441665.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441832.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441937.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441998.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442043.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442073.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442119.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442164.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442212.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442255.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442299.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442349.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442392.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442438.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442487.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442528.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442586.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442630.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442669.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442710.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442750.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442788.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442825.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442883.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442926.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442973.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124443008.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124476265.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124478043.ex_ Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\yzfkrdjq.exe Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\downloader.hc1124334090.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124334090.dl_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124334090.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124341340.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124341399.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124346308.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124348736.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124348957.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349021.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349033.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349045.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349057.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349069.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349083.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349095.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349107.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349120.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349132.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349143.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349155.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349206.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349218.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349228.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349256.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349266.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349277.ex_ Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349657.ex_ Security Risk:Application/EblasterNo disinfected C:\WINDOWS\system32\msrac32.dll Thanks TetonBob - Jim Baker

08-21-2005, 03:17 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,179 OS: 2000 Pro; XP Pro; XP Home	Hi Jim - This is a new variant of LOP infection, and I have a new tool to use to help us ID the hidden sources of the infection. Copy these instructions to Notepad. Follow these instructions only at this point, in the order given, and provide only the logs asked for in this post, please. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! Download Killbox from one of these locations: http://www.greyknight17.com/spy/KillBox.exe http://www.downloads.subratam.org/KillBox.zip http://www.atribune.org/downloads/KillBox.exe C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\tvmcwrd.dll C:\WINDOWS\SYSTEM32\ocxdrv32.dll C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe027.dll C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug C:\Documents and Settings\Owner\7k15.exe C:\Documents and Settings\Owner\Application Data\OnlineLoad C:\WINDOWS\system32\msrac32.dll Select/Highlight all the filename(s) from the above. Copy to clipboard by pressing [CTRL]+[C] on your keyboard. Start KillBox.exe Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox Click the dropdown-arrow next to the "Full Path of File to Delete" field. Verify that the filenames you pasted are found in there. Select/tick the following: Delete on Reboot End Explorer Shell While Killing File Unregister.dll Before Deleting * if it's not grayed out Click the RED X button. Click Yes at the 'Delete on Reboot' prompt. Click Yes at the 'Pending Operations prompt'. * If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again. Allow your system to reboot into normal mode. Please configure CleanUp with the following settings: Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck* this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. Delete the contents of the following folders, but not the folders (let me know if there is known good data (yours) stored in these locations): C:\Program Files\OmegaKiller1[1].2\backup C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup Download Findlop. Unzip it to your desktop. Double click fl.bat. It will open a notepad file. Copy the contents of that file and past it here in your reply. Run a scan with HJT, save the log and post it here. So, I need a log from: HJT fl.bat __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-22-2005, 11:05 PM	#12 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	Findlop log and HJT Log (like bad news it came back) [TRACE] Enumerating jobs and queues [TRACE] Activating job 'AAA201F095ADB9CC.job' [TRACE] Printing all job properties ApplicationName: 'c:\docume~1\owner\applic~1\online~1\Up acid debug.exe' Parameters: '' WorkingDirectory: '' Comment: '' Creator: 'Owner' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 08/23/2005 0:00:00 NextRun: 08/23/2005 1:00:00 StartError: S_OK ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 1 TaskFlags: 0 1 Trigger Trigger 0: Type: Daily DaysInterval: 1 StartDate: 02/21/1997 EndDate: 00/00/0000 StartTime: 00:00 MinutesDuration: 1440 MinutesInterval: 60 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'Norton AntiVirus - Scan my computer - Owner.job' [TRACE] Printing all job properties ApplicationName: 'C:\PROGRA~1\NORTON~1\Navw32.exe' Parameters: '/task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"' WorkingDirectory: '' Comment: 'This is a schedule scan task from Norton AntiVirus.' Creator: 'Owner' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 08/12/2005 20:00:00 NextRun: 08/26/2005 20:00:00 StartError: S_OK ExitCode: 0x1 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Weekly WeeksInterval: 1 DaysOfTheWeek: .....F. StartDate: 08/11/2005 EndDate: 00/00/0000 StartTime: 20:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'Symantec NetDetect.job' [TRACE] Printing all job properties ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE' Parameters: '' WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate' Comment: 'Symantec NetDetect' Creator: 'Owner' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 08/22/2005 21:38:00 NextRun: 08/23/2005 1:49:00 StartError: S_OK ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Daily DaysInterval: 1 StartDate: 08/23/2005 EndDate: 00/00/0000 StartTime: 01:49 MinutesDuration: 1440 MinutesInterval: 240 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 Logfile of HijackThis v1.99.1 Scan saved at 1:02:47 AM, on 8/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\Tmas\Tmas.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rrwciwzbcplqwsbgehn.us/Zl...iV26VvmT9l.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

08-23-2005, 12:10 AM	#13 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,335 OS: N/A	Go Start -> Run and type CMD - black command window will open. In the command window, type: schtasks /delete /TN AAA201F095ADB9CC /F <Press Enter> exit <Press Enter> Close the command window again. Locate & delete this folder: C:\Documents and Settings\Owner\Application Data\\online~1\ Have Hijackthis fix these: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rrwciwzbcplqwsbgehn.us/Z...wiV26VvmT9l.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Reboot & post fresh logs from fl.bat & HJT __________________ Question - what have you done for the community today?

08-23-2005, 09:01 AM	#14 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	schtasks is not a valid name / couldn't find C:\Documents I followed the directions as you suggested and the word schtasks was not a valid name, then I entered C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\\ONLINE~1\ in the run window and it doesn't exist. Is there another way to find out if the file exists? Other options? Jim

08-23-2005, 09:26 AM	#15 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,335 OS: N/A	Let's try finding the miscreant again. Download this revised program - fl.zip. Unzip it to your desktop. Double click the new fl.bat. It will open a notepad file. Copy the contents of that file and paste it here in your reply. I would also require a new HJT log Thanks __________________ Question - what have you done for the community today?

08-23-2005, 09:38 AM	#16 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	TetonBob: Has someone else taken over for you? Someone else contacted me via this page and gave a list of tasks to do. Is this person for real? Suddenly I was attacked by over 40 different programs tried to download on my computer. From Allaboutsearching to crap.com? My SpyWare Sweeper notified me and I removed them. Unbelieveable! I don't know how to find the log on spyware sweeper but I think you would benefit from seeing it. Just incrediable. Jim

08-23-2005, 09:56 AM	#17 (permalink)
Jim Baker Registered User Join Date: Aug 2005 Posts: 15 OS: XP	Download and save where please - doesn't give me a choice? I clicked on fl.zip and was refused entry. Searched and found it on the net. Downloaded it but when opened nothing happens. Just a bunch of files. Removed it. Suggestion? Jim Download this revised program - fl.zip. Unzip it to your desktop. Double click the new fl.bat. It will open a notepad file. Copy the contents of that file and paste it here in your reply. I would also require a new HJT log

08-23-2005, 09:59 AM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,179 OS: 2000 Pro; XP Pro; XP Home	Jim - sUBs knows what he's doing.....until we get this LOP infection removed, it will continue to call out to all of it's friends to join the party on your system. You should have Hidden Files viewable at this point. Just to be sure, do this: Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. Now, you should be able to manually naviagate to c:\documents and settings\owner\application data\online~1 <<<<this will be a folder which begins with online. Let us know if you can see it, coz it's there....if you find it....delete it. Let us know if it presents problems in deletion. If so, there are other ways to get it. Please run the bat file sUBs just linked you to, and post the results. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-23-2005, 10:10 AM	#19 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,335 OS: N/A	I just realised that he's been unable to download the file bcos it's located in a part of the forum where he doesnt have access to. You may download it from this alternate url > http://www.fbeej.ctrlaltdel.dk/Programmer/fl.zip __________________ Question - what have you done for the community today?

08-23-2005, 10:43 AM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,179 OS: 2000 Pro; XP Pro; XP Home	Also, Jim...sorry for the mixup in the link....I have a question. Are you using XP Home edition, or XP Professional, do you know? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009