CWS.Homesearch and Aboutblank

Oller · 08-25-2005, 05:09 PM

Hello - I'm having serious problems with CWS.homesearch. Have tried CleanUp, Ewido, CWShredder, Ad-aware, Pestpatrol and Norton Antivirus without success, CWS comes back after restarts. Please help!! I use a XP SP2. Please find the KRC Hijackthis analyser log file below. Thanks in advance!!

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 01:16:49, on 2005-08-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\Olle\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.di.se/Nyheter/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {63181BB0-FEAD-277D-2CC4-CAF7A0CCE681} - C:\WINDOWS\mfctn.dll (file missing)
O2 - BHO: Class - {DDDF9214-0C39-2401-5681-788C67AD3397} - C:\WINDOWS\system32\netxb32.dll (file missing)
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

tetonbob · 08-25-2005, 07:02 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {63181BB0-FEAD-277D-2CC4-CAF7A0CCE681} - C:\WINDOWS\mfctn.dll (file missing)
O2 - BHO: Class - {DDDF9214-0C39-2401-5681-788C67AD3397} - C:\WINDOWS\system32\netxb32.dll (file missing)
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\mfctn.dll
C:\WINDOWS\system32\netxb32.dll
C:\WINDOWS\system32\hookdump.exe

Restart in normal mode.

Download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
Click On 'Scan Now'
Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
If it finds any malware, it will offer you a report. Click on see report
Then click Save report
Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Run a new HijackThis scan. Save the log file and post it here.

NOTE:

MicroSoft AntiSpyware Program:

Because of recent changes in the way this program now defines and detects spyware/adware it is no longer recommend as a spyware removal tool. Microsoft as downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore”

These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted!! I recommend you remove it

Here are some other tools which will do the job quite well:

AdawareSE (free)
Spybot Search and Destroy (Teatimer Enabled) (free)
IESpy-Ad (free)
SpywareBlaster (free)
WinPatrol (free)
CounterSpy (free trial).

Oller · 08-26-2005, 10:57 AM

Please find below the logfiles for the three searches you instructed. // Oller

TREND MICRO (2nd SCAN)
Started Scanning
Internet Cookies
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'com.com' in 'Internet Explorer Cache'
Found 'mediaplex.com' in 'Internet Explorer Cache'
Found 'imrworldwide.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found 'Counter' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'Dict2Version' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'DictVersion' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'DownloadFlag' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'HPDllVersion' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'InstallDay' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'LastDay' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'LastHPDay' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'LastUpdate' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'ModuleVersion' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'SHVersion' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'SponsorID' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found 'UpdateHour' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\MyWay'
Found '' in 'Software\d78ffc13'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Program Files\MyWay'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Program Files\MyWay' in shortcut areas.
Checking for 'C:\Program Files\MyWay' in startup areas.
Cleaning 'C:\Program Files\MyWay'
Checking for 'C:\Program Files\MyWay\myBar\History\search' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\History\search' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\History\search'
Checking for 'C:\Program Files\MyWay\myBar\Settings\prevcfg.htm' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\Settings\prevcfg.htm' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\Settings\prevcfg.htm'
Finished Cleaning
Started Scanning
Internet Cookies
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'imrworldwide.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning

PANDA ACTIVE SCAN
Incident Status Location

Adware:adware/antivirus-gold No disinfected C:\DOCUMENTS AND SETTINGS\OLLE\START MENU\AntivirusGold 2.0.lnk
Adware:adware/searchaid No disinfected Windows Registry
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET
Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ
Adware:adware/cws.yexe No disinfected Windows Registry
Virus:Trj/Multidropper.V No disinfected C:\Documents and Settings\Olle\Desktop\DivX\DivX.Pro.v5.1.Incl.Keygen-SSG.ShareReactor.exe[keygen.exe]
Adware:Adware/SearchAid No disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050810154558.zip[winyw32.exe]
Adware:Adware/SearchAid No disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050814232407.zip[winlo.exe]
Adware:Adware/SearchAid No disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050823204317.zip[syslr.exe]
Adware:Adware/SearchAid No disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050825183641.zip[ipst32.exe]
Adware:Adware/SearchAid No disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050825183641.zip[msph32.exe]
HIJACKTHIS
Logfile of HijackThis v1.99.1
Scan saved at 19:41:46, on 2005-08-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.di.se/Nyheter/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

skate_punk_21 · 08-26-2005, 11:28 AM

Downloads
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Download CWShredder and run it. The File will ask where to install to, navgiate to your desktop and click install. Now double click the new desktop files CWShredder.exe and at the bottom click "check for updates" DO NOT RUN IT YET

I Noticed that you already have Ewido, PLease update its database definitions and close the program.

Open Notepad and copy/paste the following into it.
**Note: due to forum formatting you will have to remove the spaces between CURRE and NTVERSION IN BOTH LINES before saving the file.

Quote:

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRE NTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRE NTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ]

Save the Above as Regfix.reg as file type "all types", save it to your desktop.

Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Double-click "regfix.reg" that we just created, and allow it to merge with the registry.

Run CWShredder and Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Run a Full system Scan in Ewido,

You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Documents and Settings\Olle\Desktop\DivX\DivX.Pro.v5.1.Incl.Keyg en-SSG.ShareReactor.exe
C:\DOCUMENTS AND SETTINGS\OLLE\START MENU\AntivirusGold 2.0.lnk

Reboot back to normal Mode

Please post the results of:
1. C:\smitfiles.txt
2. Ewido Log

Oller · 08-26-2005, 01:23 PM

When I tried to merge the regfix.reg file with the registry by double-clicking the file created in notepad the following text was issued: "Cannot import C:\Documents and Settings\Olle\Desktop\Regfix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor."

When I created regfix.reg I tried first to delete the spaces between CURRE and NTVERSION in both lines. Next try I also, without any success, tried to delete the space between INTERNET and SETTINGS.

How shall I proceed? // All the best Oller

**POADB** · 08-26-2005, 02:23 PM

Lets try this again, shall we..?

Open Notepad and copy/paste the following into it.
**Note: due to forum formatting you will have to remove the spaces between CURRE and NTVERSION IN BOTH LINES before saving the file.

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRE NTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRE NTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ]

Save the Above as "Regfix.reg" as file type "all types", save it to your desktop. Make sure you include the " " in the file name.

Let us know if that works.

Oller · 08-26-2005, 04:26 PM

Now it worked with the "regfix.reg" installation. Please find below the results of smitfiles and Ewido.

smitRem log file
version 2.3

by noahdfear

The current date is: 2005-08-26
The current time is: 23:57:20,40

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 00:49:30, 2005-08-27
+ Report-Checksum: 5DBA1FD9

+ Scan result:

HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\{FD9BC004-8331-4457-B830-4759FF704C22} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8236B10D-9307-EADD-079C-2AA0DFC7F33E} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FB118E8B-875C-AD27-289B-C22A5B4AA454} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7470F262-EE76-4C96-C6B1-C89A02CDC7FF} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8236B10D-9307-EADD-079C-2AA0DFC7F33E} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9EB1A1C8-8CC8-6825-33BD-4EE8A5DC0D9E} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3DD5740-8C65-5FF3-1225-F170898543B8} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB118E8B-875C-AD27-289B-C22A5B4AA454} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050810154558.zip/WINDOWS/system32/winyw32.exe -> Trojan.Agent.bi : Error during cleaning
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050814232407.zip/WINDOWS/system32/winlo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050823204317.zip/WINDOWS/syslr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050825183641.zip/WINDOWS/system32/ipst32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050825183641.zip/WINDOWS/system32/msph32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32:jhaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup

::Report End

If it is of any use for you I get one hit with Pestpatrol that says the computer is infected with CWS.HomeSearch (but Pestpatrol cannot remove it)in Key: hkey_local_machine\system\currentcontrolset\enum\root\legacy_11f*00df*00e4*0006#*00b7*00ba*00c4*00d6`i

Thanks for your invaluable help! // Oller

tetonbob · 08-26-2005, 04:53 PM

Delete the contents of the folder C:\Program Files\CA\eTrust PestPatrol\core\Quarantine, but not the folder itself.

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy somewhere in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

hkey_local_machine\system\currentcontrolset\enum\root\legacy_11f*00df*00e4*0006#*00b7*00ba*00c4*00d6 `i

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Run the TrendMicro AntiSpyware tool again.

Update definitions for and run Ewido once more, to make sure there are no remnants.

Also, run the Panda ActiveScan again.

Post all three logs here. You should be in the clear then......if there are no other issues.

Oller · 08-26-2005, 06:41 PM

Please find the requested logs below.

TREND MICRO
Started Scanning
Internet Cookies
Found 'tradedoubler.com' in 'Internet Explorer Cache'
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'imrworldwide.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 02:55:08, 2005-08-27
+ Report-Checksum: F08BD834

+ Scan result:

C:\RECYCLER\S-1-5-21-3498072062-1930564202-3063918916-1006\Dc97.zip/WINDOWS/system32/winyw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32:jhaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup

::Report End

PANDA

Incident Status Location

Adware:adware/cws.yexe No disinfected Windows Registry

tetonbob · 08-27-2005, 06:34 AM

Hmmmm...that's the second time Ewido has 'cleaned' this file:

C:\WINDOWS\SYSTEM32:jhaa.dll

The syntax here is strange.....can you please look in your System32 folder to ensure this file is gone?

If it is not, please manually delete it. If it is gone, then it would appear that your system is clean, other than some orphaned registry entries. These can be cleaned with a registry cleaner such as CCleaner.

Other than that.....

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Please respond to this thread one more time so we can mark this thread as resolved.

Oller · 08-27-2005, 11:26 AM

I did not find the file "jhaa.dll" in Windows\System32. Neither did Ewido nor Pestpatrol (both were clear reports). However, Norton Antivirus warned about this very file calling it "Download.Fugif" and reported that it its attempt to remove the file had failed and that access was denied. I repeated a Norton Antivirus scan in safe mode at Norton did not find anything anymore.

Any thoughts about this? All the best // Oller

tetonbob · 08-27-2005, 12:42 PM

Hi Oller....thanks for providing the name Norton was calling it...this will help us in our mission.

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

1. Checkmark/tick - "Ignore Safe System Info Streams"
2. Click the "Scan" button
3. When it has finished scanning, checkmark/tick all that it found
4. Click the "remove selected" button

Please report your findings....and run your Norton again to see if it has been cleared.

Oller · 08-27-2005, 02:43 PM

Followed your instructions. No hits in Norton Antivirus (or Panda Active Scan). Please find below the log from the HJT Adsspy scan/remove excersice if relevant for you. Are we finnished now? By the way - what's the CCleaner refered to in your previous reply?// Oller

C:\WINDOWS\aceby.log : rmhdwp (0 bytes)
C:\WINDOWS\afs.bmp : unetvy (3567 bytes)
C:\WINDOWS\aralv.dat : adlytd (197751 bytes)
C:\WINDOWS\aralv.dat : atszlf (13581 bytes)
C:\WINDOWS\bgapl.txt : ryuqsu (0 bytes)
C:\WINDOWS\Blue Lace 16.bmp : alvfok (3567 bytes)
C:\WINDOWS\Blue Lace 16.bmp : ttlmnp (197755 bytes)
C:\WINDOWS\BOOTSTAT.DAT : teelvn (3567 bytes)
C:\WINDOWS\CLOCK.AVI : kviukg (0 bytes)
C:\WINDOWS\Coffee Bean.bmp : nqgost (0 bytes)
C:\WINDOWS\COMSETUP.LOG : qrecqh (0 bytes)
C:\WINDOWS\cuzyt.log : gqztud (0 bytes)
C:\WINDOWS\dellstat.ini : wzapmi (3567 bytes)
C:\WINDOWS\DESKTOP.INI : knxgr (0 bytes)
C:\WINDOWS\drnsm.txt : fpdkbd (13581 bytes)
C:\WINDOWS\EXPLORER.SCF : yqoxdn (197755 bytes)
C:\WINDOWS\gqztu.dat : gwkaco (0 bytes)
C:\WINDOWS\Greenstone.bmp : eostri (197755 bytes)
C:\WINDOWS\Greenstone.bmp : tujdho (197755 bytes)
C:\WINDOWS\hahwm.log : mvciky (3567 bytes)
C:\WINDOWS\ikey.ini : kryqh (0 bytes)
C:\WINDOWS\ikey.ini : oodzts (3567 bytes)
C:\WINDOWS\ikey.ini : sgoleb (0 bytes)
C:\WINDOWS\iswhk.dat : aljmni (13581 bytes)
C:\WINDOWS\iswhk.dat : melig (0 bytes)
C:\WINDOWS\ixitc.dat : ewdop (0 bytes)
C:\WINDOWS\jautoexp.dat : rhqxt (0 bytes)
C:\WINDOWS\jautoexp.dat : uternk (13581 bytes)
C:\WINDOWS\jyxmo.log : ckhxpq (0 bytes)
C:\WINDOWS\jyxmo.log : koyfts (0 bytes)
C:\WINDOWS\jyxmo.log : tmbzhs (197755 bytes)
C:\WINDOWS\KB821557.log : zxdlgx (0 bytes)
C:\WINDOWS\KB823182.log : lmufjc (3567 bytes)
C:\WINDOWS\KB823182.log : nuwwpn (197755 bytes)
C:\WINDOWS\KB824141.log : aazzcs (0 bytes)
C:\WINDOWS\KB824141.log : fuhbjx (3567 bytes)
C:\WINDOWS\KB824146.log : uwhkwl (0 bytes)
C:\WINDOWS\KB828035.log : xkdit (0 bytes)
C:\WINDOWS\KB834707-IE6SP1-20040929.091901.log : vsucjc (3567 bytes)
C:\WINDOWS\KB834707.log : oucbom (0 bytes)
C:\WINDOWS\KB834707.log : tdfrbu (13581 bytes)
C:\WINDOWS\KB835732.log : bzrsfm (0 bytes)
C:\WINDOWS\KB835732.log : dbueq (0 bytes)
C:\WINDOWS\KB837001.log : otfhdf (3567 bytes)
C:\WINDOWS\KB839643-DirectX9.log : gvvhix (0 bytes)
C:\WINDOWS\KB839643-DirectX9.log : meywvf (197755 bytes)
C:\WINDOWS\KB840315.log : guxufp (3567 bytes)
C:\WINDOWS\KB840374.log : efibxp (3567 bytes)
C:\WINDOWS\KB840987.log : sahrzr (13581 bytes)
C:\WINDOWS\KB840987.log : xsxdfz (197755 bytes)
C:\WINDOWS\KB867282.log : lbawct (197753 bytes)
C:\WINDOWS\KB873333.log : lhfweo (0 bytes)
C:\WINDOWS\KB885250.log : dbtkwe (3567 bytes)
C:\WINDOWS\KB885835.log : iwhhvh (0 bytes)
C:\WINDOWS\KB886185.log : bwanxs (0 bytes)
C:\WINDOWS\KB886185.log : waipab (13581 bytes)
C:\WINDOWS\KB887742.log : evkaax (13581 bytes)
C:\WINDOWS\KB887742.log : vvabra (0 bytes)
C:\WINDOWS\KB888113.log : pbauul (197755 bytes)
C:\WINDOWS\KB890047.log : hctaxw (3567 bytes)
C:\WINDOWS\KB890047.log : lznnmb (0 bytes)
C:\WINDOWS\KB890175.log : bekbpg (13581 bytes)
C:\WINDOWS\KB890175.log : mylftf (13581 bytes)
C:\WINDOWS\KB891781.log : erwkop (197755 bytes)
C:\WINDOWS\KB891781.log : ufdojr (197755 bytes)
C:\WINDOWS\KB893086.log : vaqyio (13581 bytes)
C:\WINDOWS\KB893086.log : zxgyqv (197755 bytes)
C:\WINDOWS\KB893756.log : wroqqz (3567 bytes)
C:\WINDOWS\KB893803.log : mgoult (3567 bytes)
C:\WINDOWS\KB894391.log : aqkist (0 bytes)
C:\WINDOWS\KB894391.log : myowqw (0 bytes)
C:\WINDOWS\KB894391.log : objlky (197755 bytes)
C:\WINDOWS\KB896358.log : kqfsb (0 bytes)
C:\WINDOWS\KB896358.log : sqyekf (3567 bytes)
C:\WINDOWS\KB896423.log : ezhcky (197755 bytes)
C:\WINDOWS\KB896423.log : gbcrei (3567 bytes)
C:\WINDOWS\KB898461.log : zwusgz (13581 bytes)
C:\WINDOWS\KB899588.log : ofkqgy (0 bytes)
C:\WINDOWS\KB903235.log : ggcvii (0 bytes)
C:\WINDOWS\kqrol.log : zgnjdk (0 bytes)
C:\WINDOWS\lespj.dat : jqvzwc (0 bytes)
C:\WINDOWS\lespj.dat : ktglrf (0 bytes)
C:\WINDOWS\lnihm.log : lxulny (13581 bytes)
C:\WINDOWS\LUINSTALL.LOG : cxfldm (3567 bytes)
C:\WINDOWS\lwdof.dat : uvjens (0 bytes)
C:\WINDOWS\mhkes.log : kniuqp (0 bytes)
C:\WINDOWS\mplaynow.log : ormbtb (13581 bytes)
C:\WINDOWS\msfsetup.ini : wqxwjl (3567 bytes)
C:\WINDOWS\MSGSOCM.LOG : gsfgvm (197755 bytes)
C:\WINDOWS\MSGSOCM.LOG : zpruvp (0 bytes)
C:\WINDOWS\npvnv.txt : volnnk (0 bytes)
C:\WINDOWS\ntdtcsetup.log : rjirs (0 bytes)
C:\WINDOWS\OCGEN.LOG : ztpmpw (3567 bytes)
C:\WINDOWS\OCMSN.LOG : krunkk (0 bytes)
C:\WINDOWS\ODBCINST.INI : trdio (0 bytes)
C:\WINDOWS\OEWABLog.txt : drnsmm (0 bytes)
C:\WINDOWS\OEWABLog.txt : wvfho (0 bytes)
C:\WINDOWS\OOBEACT.LOG : sccbij (13581 bytes)
C:\WINDOWS\OOBEACT.LOG : yxyfn (0 bytes)
C:\WINDOWS\Prairie Wind.bmp : ldngkt (197755 bytes)
C:\WINDOWS\Q328213.log : deftfe (3567 bytes)
C:\WINDOWS\Q329048.log : btjlcx (0 bytes)
C:\WINDOWS\Q329048.log : tbysvs (0 bytes)
C:\WINDOWS\Q329441.log : vlwyk (0 bytes)
C:\WINDOWS\Q329909.log : zwgonp (13581 bytes)
C:\WINDOWS\Q810565.log : mrwolg (13581 bytes)
C:\WINDOWS\Q810565.log : sxythr (197755 bytes)
C:\WINDOWS\Q810577.log : advrsn (0 bytes)
C:\WINDOWS\Q811493.log : frhcfi (197751 bytes)
C:\WINDOWS\Q811493.log : kxrhjb (3567 bytes)
C:\WINDOWS\q812415.log : pszhzt (3567 bytes)
C:\WINDOWS\Q813862.log : nkxrqx (0 bytes)
C:\WINDOWS\Q813862.log : xkbjci (13581 bytes)
C:\WINDOWS\Q815304.log : iybhrs (0 bytes)
C:\WINDOWS\Q815304.log : txoko (0 bytes)
C:\WINDOWS\Q816979.log : imeuqv (197751 bytes)
C:\WINDOWS\Q816981.log : meeof (0 bytes)
C:\WINDOWS\Q816982.log : mfyfrr (0 bytes)
C:\WINDOWS\Q817287.log : onqztb (0 bytes)
C:\WINDOWS\Q817606.log : amxhtf (3567 bytes)
C:\WINDOWS\REGOPT.LOG : lozajq (0 bytes)
C:\WINDOWS\REGOPT.LOG : pmymju (197751 bytes)
C:\WINDOWS\REGOPT.LOG : vzxcwt (0 bytes)
C:\WINDOWS\Rhododendron.bmp : qflutv (0 bytes)
C:\WINDOWS\River Sumida.bmp : hyamds (13581 bytes)
C:\WINDOWS\SETUPACT.LOG : abfnej (0 bytes)
C:\WINDOWS\setupapi.log : szdwzf (3567 bytes)
C:\WINDOWS\Skoldemo.ini : lfnqrq (0 bytes)
C:\WINDOWS\smscfg.ini : lcigaw (0 bytes)
C:\WINDOWS\smscfg.ini : rphjdv (0 bytes)
C:\WINDOWS\Sti_Trace.log : gtxrdz (13581 bytes)
C:\WINDOWS\suxpe.txt : feshrs (0 bytes)
C:\WINDOWS\uefhi.dat : gdwxci (0 bytes)
C:\WINDOWS\uefhi.dat : jmjkau (3567 bytes)
C:\WINDOWS\uefhi.dat : ypuhoo (0 bytes)
C:\WINDOWS\vminst.log : wkpjr (0 bytes)
C:\WINDOWS\vpous.log : brpxnl (0 bytes)
C:\WINDOWS\vpous.log : hgfjhw (0 bytes)
C:\WINDOWS\WIASERVC.LOG : epfzbl (0 bytes)
C:\WINDOWS\WIASERVC.LOG : ukikhn (0 bytes)
C:\WINDOWS\Windows Update.log : cvjpg (0 bytes)
C:\WINDOWS\WindowsUpdate.log : ilfuzq (0 bytes)
C:\WINDOWS\WINNT256.BMP : fmlvdi (0 bytes)
C:\WINDOWS\wmsetup.log : sgkirt (0 bytes)
C:\WINDOWS\WMSysPrf.PRX : kgvnlv (0 bytes)
C:\WINDOWS\ykocx.log : cznsfg (0 bytes)
C:\WINDOWS\yuxgm.dat : slmiwd (13581 bytes)
C:\WINDOWS\yuxgm.dat : wcldwr (197755 bytes)
C:\WINDOWS\_DEFAULT.PIF : aacge (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : aacgh (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : aaegjt (11529 bytes)
C:\WINDOWS\_DEFAULT.PIF : abfgs (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : abhgr (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : abhrd (89598 bytes)
C:\WINDOWS\_DEFAULT.PIF : abmsm (87732 bytes)
C:\WINDOWS\_DEFAULT.PIF : aboka (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : abrhp (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : abrlr (87732 bytes)
C:\WINDOWS\_DEFAULT.PIF : abswd (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : abufb (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : abwwbi (3567 bytes)
C:\WINDOWS\_DEFAULT.PIF : acbfw (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : achij (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : actdk (89598 bytes)
C:\WINDOWS\_DEFAULT.PIF : actzg (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : acxae (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : adapg (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : adjpd (87732 bytes)
C:\WINDOWS\_DEFAULT.PIF : adksg (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : admqm (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : adoskc (0 bytes)
C:\WINDOWS\_DEFAULT.PIF : adrmi (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : aeapm (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : aedko (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : aedyb (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : aerko (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : afaei (88551 bytes)
C:\WINDOWS\_DEFAULT.PIF : afapr (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : afbzb (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : afeoy (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : afmnl (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : afqjj (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : afzyt (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : agebl (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : aglkv (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : ahakr (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : ahpwo (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : ahryt (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : ahsyu (89598 bytes)
C:\WINDOWS\_DEFAULT.PIF : aibfg (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : aicnd (89598 bytes)
C:\WINDOWS\_DEFAULT.PIF : aihig (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : aiklw (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : aiuak (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : ajamc (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : ajcnj (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : ajgoq (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : ajgrcr (0 bytes)
C:\WINDOWS\_DEFAULT.PIF : ajkic (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : ajssp (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : ajtuw (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : ajuxj (0 bytes)
C:\WINDOWS\_DEFAULT.PIF : ajwrk (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : akabp (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : akfhw (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : akihz (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : akxxf (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : akyak (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : almfw (87732 bytes)
C:\WINDOWS\_DEFAULT.PIF : alyfs (87732 bytes)
C:\WINDOWS\_DEFAULT.PIF : amdiu (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : amejq (89598 bytes)
C:\WINDOWS\_DEFAULT.PIF : amfign (34958 bytes)
C:\WINDOWS\_DEFAULT.PIF : amopa (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : amqmx (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : amvoy (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : amxcz (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : andzx (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : anlny (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : anruf (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : ansmh (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : antil (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : anxmgr (0 bytes)
C:\WINDOWS\_DEFAULT.PIF : anyca (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : anylz (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : aogqy (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : aonqym (0 bytes)
C:\WINDOWS\_DEFAULT.PIF : apchka (0 bytes)
C:\WINDOWS\_DEFAULT.PIF : apffm (35081 bytes)
C:\WINDOWS\_DEFAULT.PIF : apvbl (89300 bytes)
C:\WINDOWS\_DEFAULT.PIF : apxjn (89300 bytes)

tetonbob · 08-27-2005, 05:48 PM

Hi Oller -

Well Done!

Yup, I think we're done here. One other tool you should have in your arsenal is AdawareSE.

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.

CCleaner is a small utility which will, among other things, search for and clean out orphaned registry entries.....things which don't really belong any more, from uninstalled programs. It also will clean out TEMP files, cookies, Internet History.

CCleaner

Be sure to check out the new tutorial on their site.

Our work here is done.

Please take advantage of the prevention info I've provided earlier.

Happy computing, and Safe Surfing to you!

Oller · 08-28-2005, 01:49 AM

Thanks a million!!! You are true heroes! // Oller

08-25-2005, 07:02 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - Default URLSearchHook is missing O2 - BHO: Class - {63181BB0-FEAD-277D-2CC4-CAF7A0CCE681} - C:\WINDOWS\mfctn.dll (file missing) O2 - BHO: Class - {DDDF9214-0C39-2401-5681-788C67AD3397} - C:\WINDOWS\system32\netxb32.dll (file missing) O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\mfctn.dll C:\WINDOWS\system32\netxb32.dll C:\WINDOWS\system32\hookdump.exe Restart in normal mode. Download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop (tmas-web-scan.exe) It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it Click On 'Scan Now' Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB Begin the scan by selecting My Computer * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. If it finds any malware, it will offer you a report. Click on see report Then click Save report Post the contents of the report in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Run a new HijackThis scan. Save the log file and post it here. NOTE: MicroSoft AntiSpyware Program: Because of recent changes in the way this program now defines and detects spyware/adware it is no longer recommend as a spyware removal tool. Microsoft as downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore” These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted!! I recommend you remove it Here are some other tools which will do the job quite well: AdawareSE (free) Spybot Search and Destroy (Teatimer Enabled) (free) IESpy-Ad (free) SpywareBlaster (free) WinPatrol (free) CounterSpy (free trial). __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-26-2005, 10:57 AM	#3 (permalink)
Oller Registered User Join Date: Aug 2005 Posts: 8 OS: XP	Thanks for helping me tentonbob Please find below the logfiles for the three searches you instructed. // Oller TREND MICRO (2nd SCAN) Started Scanning Internet Cookies Found 'doubleclick.net' in 'Internet Explorer Cache' Found 'tribalfusion.com' in 'Internet Explorer Cache' Found 'com.com' in 'Internet Explorer Cache' Found 'mediaplex.com' in 'Internet Explorer Cache' Found 'imrworldwide.com' in 'Internet Explorer Cache' Programs in Memory Windows Registry Found 'Counter' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'Dict2Version' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'DictVersion' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'DownloadFlag' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'HPDllVersion' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'InstallDay' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'LastDay' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'LastHPDay' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'LastUpdate' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'ModuleVersion' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'SHVersion' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'SponsorID' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found 'UpdateHour' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}' Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1' Found '' in 'SOFTWARE\MyWay' Found '' in 'Software\d78ffc13' Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}' Internet URL Shortcuts Files and Directories Found '' in 'C:\Program Files\MyWay' Finished Scanning Started Backup Finished Backup Started Cleaning Checking for 'C:\Program Files\MyWay' in shortcut areas. Checking for 'C:\Program Files\MyWay' in startup areas. Cleaning 'C:\Program Files\MyWay' Checking for 'C:\Program Files\MyWay\myBar\History\search' in shortcut areas. Checking for 'C:\Program Files\MyWay\myBar\History\search' in startup areas. Cleaning 'C:\Program Files\MyWay\myBar\History\search' Checking for 'C:\Program Files\MyWay\myBar\Settings\prevcfg.htm' in shortcut areas. Checking for 'C:\Program Files\MyWay\myBar\Settings\prevcfg.htm' in startup areas. Cleaning 'C:\Program Files\MyWay\myBar\Settings\prevcfg.htm' Finished Cleaning Started Scanning Internet Cookies Found 'doubleclick.net' in 'Internet Explorer Cache' Found 'tribalfusion.com' in 'Internet Explorer Cache' Found 'imrworldwide.com' in 'Internet Explorer Cache' Programs in Memory Windows Registry Internet URL Shortcuts Files and Directories Finished Scanning Started Backup Finished Backup Started Cleaning Finished Cleaning PANDA ACTIVE SCAN Incident Status Location Adware:adware/antivirus-gold No disinfected C:\DOCUMENTS AND SETTINGS\OLLE\START MENU\AntivirusGold 2.0.lnk Adware:adware/searchaid No disinfected Windows Registry Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ Adware:adware/cws.yexe No disinfected Windows Registry Virus:Trj/Multidropper.V No disinfected C:\Documents and Settings\Olle\Desktop\DivX\DivX.Pro.v5.1.Incl.Keygen-SSG.ShareReactor.exe[keygen.exe] Adware:Adware/SearchAid No disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050810154558.zip[winyw32.exe] Adware:Adware/SearchAid No disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050814232407.zip[winlo.exe] Adware:Adware/SearchAid No disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050823204317.zip[syslr.exe] Adware:Adware/SearchAid No disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050825183641.zip[ipst32.exe] Adware:Adware/SearchAid No disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050825183641.zip[msph32.exe] HIJACKTHIS Logfile of HijackThis v1.99.1 Scan saved at 19:41:46, on 2005-08-26 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\Compaq\EAKDRV\EAUSBKBD.EXE C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\HJT\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.di.se/Nyheter/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Image Transfer.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

08-26-2005, 01:23 PM	#5 (permalink)
Oller Registered User Join Date: Aug 2005 Posts: 8 OS: XP	Correct instruction? When I tried to merge the regfix.reg file with the registry by double-clicking the file created in notepad the following text was issued: "Cannot import C:\Documents and Settings\Olle\Desktop\Regfix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor." When I created regfix.reg I tried first to delete the spaces between CURRE and NTVERSION in both lines. Next try I also, without any success, tried to delete the space between INTERNET and SETTINGS. How shall I proceed? // All the best Oller

08-26-2005, 04:26 PM	#7 (permalink)
Oller Registered User Join Date: Aug 2005 Posts: 8 OS: XP	Logs as requested Now it worked with the "regfix.reg" installation. Please find below the results of smitfiles and Ewido. smitRem log file version 2.3 by noahdfear The current date is: 2005-08-26 The current time is: 23:57:20,40 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Post-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 00:49:30, 2005-08-27 + Report-Checksum: 5DBA1FD9 + Scan result: HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773} -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\{FD9BC004-8331-4457-B830-4759FF704C22} -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8236B10D-9307-EADD-079C-2AA0DFC7F33E} -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FB118E8B-875C-AD27-289B-C22A5B4AA454} -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7470F262-EE76-4C96-C6B1-C89A02CDC7FF} -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8236B10D-9307-EADD-079C-2AA0DFC7F33E} -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9EB1A1C8-8CC8-6825-33BD-4EE8A5DC0D9E} -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3DD5740-8C65-5FF3-1225-F170898543B8} -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-3498072062-1930564202-3063918916-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB118E8B-875C-AD27-289B-C22A5B4AA454} -> Spyware.CoolWebSearch : Cleaned with backup C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050810154558.zip/WINDOWS/system32/winyw32.exe -> Trojan.Agent.bi : Error during cleaning C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050814232407.zip/WINDOWS/system32/winlo.exe -> Trojan.Agent.bi : Cleaned with backup C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050823204317.zip/WINDOWS/syslr.exe -> Trojan.Agent.bi : Cleaned with backup C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050825183641.zip/WINDOWS/system32/ipst32.exe -> Trojan.Agent.bi : Cleaned with backup C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20050825183641.zip/WINDOWS/system32/msph32.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\SYSTEM32:jhaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup ::Report End If it is of any use for you I get one hit with Pestpatrol that says the computer is infected with CWS.HomeSearch (but Pestpatrol cannot remove it)in Key: hkey_local_machine\system\currentcontrolset\enum\root\legacy_11f00df00e40006#00b700ba00c4*00d6`i Thanks for your invaluable help! // Oller

08-26-2005, 04:53 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	Delete the contents of the folder C:\Program Files\CA\eTrust PestPatrol\core\Quarantine, but not the folder itself. Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy somewhere in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED hkey_local_machine\system\currentcontrolset\enum\root\legacy_11f00df00e40006#00b700ba00c400d6 `i If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Run the TrendMicro AntiSpyware tool again. Update definitions for and run Ewido once more, to make sure there are no remnants. Also, run the Panda ActiveScan again. Post all three logs here. You should be in the clear then......if there are no other issues. __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-26-2005, 06:41 PM	#9 (permalink)
Oller Registered User Join Date: Aug 2005 Posts: 8 OS: XP	Please find the requested logs below. TREND MICRO Started Scanning Internet Cookies Found 'tradedoubler.com' in 'Internet Explorer Cache' Found 'tribalfusion.com' in 'Internet Explorer Cache' Found 'imrworldwide.com' in 'Internet Explorer Cache' Programs in Memory Windows Registry Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run' Internet URL Shortcuts Files and Directories Finished Scanning Started Backup Finished Backup Started Cleaning Finished Cleaning --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 02:55:08, 2005-08-27 + Report-Checksum: F08BD834 + Scan result: C:\RECYCLER\S-1-5-21-3498072062-1930564202-3063918916-1006\Dc97.zip/WINDOWS/system32/winyw32.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\SYSTEM32:jhaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup ::Report End PANDA Incident Status Location Adware:adware/cws.yexe No disinfected Windows Registry

08-27-2005, 06:34 AM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	Hmmmm...that's the second time Ewido has 'cleaned' this file: C:\WINDOWS\SYSTEM32:jhaa.dll The syntax here is strange.....can you please look in your System32 folder to ensure this file is gone? If it is not, please manually delete it. If it is gone, then it would appear that your system is clean, other than some orphaned registry entries. These can be cleaned with a registry cleaner such as CCleaner. Other than that..... Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall Kerio Personal Firewall ZoneAlarm In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-27-2005, 11:26 AM	#11 (permalink)
Oller Registered User Join Date: Aug 2005 Posts: 8 OS: XP	windows\system32:jhaa.dll I did not find the file "jhaa.dll" in Windows\System32. Neither did Ewido nor Pestpatrol (both were clear reports). However, Norton Antivirus warned about this very file calling it "Download.Fugif" and reported that it its attempt to remove the file had failed and that access was denied. I repeated a Norton Antivirus scan in safe mode at Norton did not find anything anymore. Any thoughts about this? All the best // Oller

08-27-2005, 12:42 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	Hi Oller....thanks for providing the name Norton was calling it...this will help us in our mission. Start HijackThis & Go to Config> Misc Tools > Open ADS Spy 1. Checkmark/tick - "Ignore Safe System Info Streams" 2. Click the "Scan" button 3. When it has finished scanning, checkmark/tick all that it found 4. Click the "remove selected" button Please report your findings....and run your Norton again to see if it has been cleared. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-27-2005, 02:43 PM	#13 (permalink)
Oller Registered User Join Date: Aug 2005 Posts: 8 OS: XP	Clean now? Followed your instructions. No hits in Norton Antivirus (or Panda Active Scan). Please find below the log from the HJT Adsspy scan/remove excersice if relevant for you. Are we finnished now? By the way - what's the CCleaner refered to in your previous reply?// Oller C:\WINDOWS\aceby.log : rmhdwp (0 bytes) C:\WINDOWS\afs.bmp : unetvy (3567 bytes) C:\WINDOWS\aralv.dat : adlytd (197751 bytes) C:\WINDOWS\aralv.dat : atszlf (13581 bytes) C:\WINDOWS\bgapl.txt : ryuqsu (0 bytes) C:\WINDOWS\Blue Lace 16.bmp : alvfok (3567 bytes) C:\WINDOWS\Blue Lace 16.bmp : ttlmnp (197755 bytes) C:\WINDOWS\BOOTSTAT.DAT : teelvn (3567 bytes) C:\WINDOWS\CLOCK.AVI : kviukg (0 bytes) C:\WINDOWS\Coffee Bean.bmp : nqgost (0 bytes) C:\WINDOWS\COMSETUP.LOG : qrecqh (0 bytes) C:\WINDOWS\cuzyt.log : gqztud (0 bytes) C:\WINDOWS\dellstat.ini : wzapmi (3567 bytes) C:\WINDOWS\DESKTOP.INI : knxgr (0 bytes) C:\WINDOWS\drnsm.txt : fpdkbd (13581 bytes) C:\WINDOWS\EXPLORER.SCF : yqoxdn (197755 bytes) C:\WINDOWS\gqztu.dat : gwkaco (0 bytes) C:\WINDOWS\Greenstone.bmp : eostri (197755 bytes) C:\WINDOWS\Greenstone.bmp : tujdho (197755 bytes) C:\WINDOWS\hahwm.log : mvciky (3567 bytes) C:\WINDOWS\ikey.ini : kryqh (0 bytes) C:\WINDOWS\ikey.ini : oodzts (3567 bytes) C:\WINDOWS\ikey.ini : sgoleb (0 bytes) C:\WINDOWS\iswhk.dat : aljmni (13581 bytes) C:\WINDOWS\iswhk.dat : melig (0 bytes) C:\WINDOWS\ixitc.dat : ewdop (0 bytes) C:\WINDOWS\jautoexp.dat : rhqxt (0 bytes) C:\WINDOWS\jautoexp.dat : uternk (13581 bytes) C:\WINDOWS\jyxmo.log : ckhxpq (0 bytes) C:\WINDOWS\jyxmo.log : koyfts (0 bytes) C:\WINDOWS\jyxmo.log : tmbzhs (197755 bytes) C:\WINDOWS\KB821557.log : zxdlgx (0 bytes) C:\WINDOWS\KB823182.log : lmufjc (3567 bytes) C:\WINDOWS\KB823182.log : nuwwpn (197755 bytes) C:\WINDOWS\KB824141.log : aazzcs (0 bytes) C:\WINDOWS\KB824141.log : fuhbjx (3567 bytes) C:\WINDOWS\KB824146.log : uwhkwl (0 bytes) C:\WINDOWS\KB828035.log : xkdit (0 bytes) C:\WINDOWS\KB834707-IE6SP1-20040929.091901.log : vsucjc (3567 bytes) C:\WINDOWS\KB834707.log : oucbom (0 bytes) C:\WINDOWS\KB834707.log : tdfrbu (13581 bytes) C:\WINDOWS\KB835732.log : bzrsfm (0 bytes) C:\WINDOWS\KB835732.log : dbueq (0 bytes) C:\WINDOWS\KB837001.log : otfhdf (3567 bytes) C:\WINDOWS\KB839643-DirectX9.log : gvvhix (0 bytes) C:\WINDOWS\KB839643-DirectX9.log : meywvf (197755 bytes) C:\WINDOWS\KB840315.log : guxufp (3567 bytes) C:\WINDOWS\KB840374.log : efibxp (3567 bytes) C:\WINDOWS\KB840987.log : sahrzr (13581 bytes) C:\WINDOWS\KB840987.log : xsxdfz (197755 bytes) C:\WINDOWS\KB867282.log : lbawct (197753 bytes) C:\WINDOWS\KB873333.log : lhfweo (0 bytes) C:\WINDOWS\KB885250.log : dbtkwe (3567 bytes) C:\WINDOWS\KB885835.log : iwhhvh (0 bytes) C:\WINDOWS\KB886185.log : bwanxs (0 bytes) C:\WINDOWS\KB886185.log : waipab (13581 bytes) C:\WINDOWS\KB887742.log : evkaax (13581 bytes) C:\WINDOWS\KB887742.log : vvabra (0 bytes) C:\WINDOWS\KB888113.log : pbauul (197755 bytes) C:\WINDOWS\KB890047.log : hctaxw (3567 bytes) C:\WINDOWS\KB890047.log : lznnmb (0 bytes) C:\WINDOWS\KB890175.log : bekbpg (13581 bytes) C:\WINDOWS\KB890175.log : mylftf (13581 bytes) C:\WINDOWS\KB891781.log : erwkop (197755 bytes) C:\WINDOWS\KB891781.log : ufdojr (197755 bytes) C:\WINDOWS\KB893086.log : vaqyio (13581 bytes) C:\WINDOWS\KB893086.log : zxgyqv (197755 bytes) C:\WINDOWS\KB893756.log : wroqqz (3567 bytes) C:\WINDOWS\KB893803.log : mgoult (3567 bytes) C:\WINDOWS\KB894391.log : aqkist (0 bytes) C:\WINDOWS\KB894391.log : myowqw (0 bytes) C:\WINDOWS\KB894391.log : objlky (197755 bytes) C:\WINDOWS\KB896358.log : kqfsb (0 bytes) C:\WINDOWS\KB896358.log : sqyekf (3567 bytes) C:\WINDOWS\KB896423.log : ezhcky (197755 bytes) C:\WINDOWS\KB896423.log : gbcrei (3567 bytes) C:\WINDOWS\KB898461.log : zwusgz (13581 bytes) C:\WINDOWS\KB899588.log : ofkqgy (0 bytes) C:\WINDOWS\KB903235.log : ggcvii (0 bytes) C:\WINDOWS\kqrol.log : zgnjdk (0 bytes) C:\WINDOWS\lespj.dat : jqvzwc (0 bytes) C:\WINDOWS\lespj.dat : ktglrf (0 bytes) C:\WINDOWS\lnihm.log : lxulny (13581 bytes) C:\WINDOWS\LUINSTALL.LOG : cxfldm (3567 bytes) C:\WINDOWS\lwdof.dat : uvjens (0 bytes) C:\WINDOWS\mhkes.log : kniuqp (0 bytes) C:\WINDOWS\mplaynow.log : ormbtb (13581 bytes) C:\WINDOWS\msfsetup.ini : wqxwjl (3567 bytes) C:\WINDOWS\MSGSOCM.LOG : gsfgvm (197755 bytes) C:\WINDOWS\MSGSOCM.LOG : zpruvp (0 bytes) C:\WINDOWS\npvnv.txt : volnnk (0 bytes) C:\WINDOWS\ntdtcsetup.log : rjirs (0 bytes) C:\WINDOWS\OCGEN.LOG : ztpmpw (3567 bytes) C:\WINDOWS\OCMSN.LOG : krunkk (0 bytes) C:\WINDOWS\ODBCINST.INI : trdio (0 bytes) C:\WINDOWS\OEWABLog.txt : drnsmm (0 bytes) C:\WINDOWS\OEWABLog.txt : wvfho (0 bytes) C:\WINDOWS\OOBEACT.LOG : sccbij (13581 bytes) C:\WINDOWS\OOBEACT.LOG : yxyfn (0 bytes) C:\WINDOWS\Prairie Wind.bmp : ldngkt (197755 bytes) C:\WINDOWS\Q328213.log : deftfe (3567 bytes) C:\WINDOWS\Q329048.log : btjlcx (0 bytes) C:\WINDOWS\Q329048.log : tbysvs (0 bytes) C:\WINDOWS\Q329441.log : vlwyk (0 bytes) C:\WINDOWS\Q329909.log : zwgonp (13581 bytes) C:\WINDOWS\Q810565.log : mrwolg (13581 bytes) C:\WINDOWS\Q810565.log : sxythr (197755 bytes) C:\WINDOWS\Q810577.log : advrsn (0 bytes) C:\WINDOWS\Q811493.log : frhcfi (197751 bytes) C:\WINDOWS\Q811493.log : kxrhjb (3567 bytes) C:\WINDOWS\q812415.log : pszhzt (3567 bytes) C:\WINDOWS\Q813862.log : nkxrqx (0 bytes) C:\WINDOWS\Q813862.log : xkbjci (13581 bytes) C:\WINDOWS\Q815304.log : iybhrs (0 bytes) C:\WINDOWS\Q815304.log : txoko (0 bytes) C:\WINDOWS\Q816979.log : imeuqv (197751 bytes) C:\WINDOWS\Q816981.log : meeof (0 bytes) C:\WINDOWS\Q816982.log : mfyfrr (0 bytes) C:\WINDOWS\Q817287.log : onqztb (0 bytes) C:\WINDOWS\Q817606.log : amxhtf (3567 bytes) C:\WINDOWS\REGOPT.LOG : lozajq (0 bytes) C:\WINDOWS\REGOPT.LOG : pmymju (197751 bytes) C:\WINDOWS\REGOPT.LOG : vzxcwt (0 bytes) C:\WINDOWS\Rhododendron.bmp : qflutv (0 bytes) C:\WINDOWS\River Sumida.bmp : hyamds (13581 bytes) C:\WINDOWS\SETUPACT.LOG : abfnej (0 bytes) C:\WINDOWS\setupapi.log : szdwzf (3567 bytes) C:\WINDOWS\Skoldemo.ini : lfnqrq (0 bytes) C:\WINDOWS\smscfg.ini : lcigaw (0 bytes) C:\WINDOWS\smscfg.ini : rphjdv (0 bytes) C:\WINDOWS\Sti_Trace.log : gtxrdz (13581 bytes) C:\WINDOWS\suxpe.txt : feshrs (0 bytes) C:\WINDOWS\uefhi.dat : gdwxci (0 bytes) C:\WINDOWS\uefhi.dat : jmjkau (3567 bytes) C:\WINDOWS\uefhi.dat : ypuhoo (0 bytes) C:\WINDOWS\vminst.log : wkpjr (0 bytes) C:\WINDOWS\vpous.log : brpxnl (0 bytes) C:\WINDOWS\vpous.log : hgfjhw (0 bytes) C:\WINDOWS\WIASERVC.LOG : epfzbl (0 bytes) C:\WINDOWS\WIASERVC.LOG : ukikhn (0 bytes) C:\WINDOWS\Windows Update.log : cvjpg (0 bytes) C:\WINDOWS\WindowsUpdate.log : ilfuzq (0 bytes) C:\WINDOWS\WINNT256.BMP : fmlvdi (0 bytes) C:\WINDOWS\wmsetup.log : sgkirt (0 bytes) C:\WINDOWS\WMSysPrf.PRX : kgvnlv (0 bytes) C:\WINDOWS\ykocx.log : cznsfg (0 bytes) C:\WINDOWS\yuxgm.dat : slmiwd (13581 bytes) C:\WINDOWS\yuxgm.dat : wcldwr (197755 bytes) C:\WINDOWS\_DEFAULT.PIF : aacge (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : aacgh (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : aaegjt (11529 bytes) C:\WINDOWS\_DEFAULT.PIF : abfgs (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : abhgr (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : abhrd (89598 bytes) C:\WINDOWS\_DEFAULT.PIF : abmsm (87732 bytes) C:\WINDOWS\_DEFAULT.PIF : aboka (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : abrhp (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : abrlr (87732 bytes) C:\WINDOWS\_DEFAULT.PIF : abswd (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : abufb (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : abwwbi (3567 bytes) C:\WINDOWS\_DEFAULT.PIF : acbfw (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : achij (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : actdk (89598 bytes) C:\WINDOWS\_DEFAULT.PIF : actzg (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : acxae (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : adapg (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : adjpd (87732 bytes) C:\WINDOWS\_DEFAULT.PIF : adksg (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : admqm (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : adoskc (0 bytes) C:\WINDOWS\_DEFAULT.PIF : adrmi (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : aeapm (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : aedko (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : aedyb (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : aerko (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : afaei (88551 bytes) C:\WINDOWS\_DEFAULT.PIF : afapr (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : afbzb (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : afeoy (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : afmnl (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : afqjj (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : afzyt (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : agebl (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : aglkv (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : ahakr (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : ahpwo (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : ahryt (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : ahsyu (89598 bytes) C:\WINDOWS\_DEFAULT.PIF : aibfg (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : aicnd (89598 bytes) C:\WINDOWS\_DEFAULT.PIF : aihig (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : aiklw (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : aiuak (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : ajamc (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : ajcnj (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : ajgoq (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : ajgrcr (0 bytes) C:\WINDOWS\_DEFAULT.PIF : ajkic (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : ajssp (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : ajtuw (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : ajuxj (0 bytes) C:\WINDOWS\_DEFAULT.PIF : ajwrk (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : akabp (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : akfhw (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : akihz (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : akxxf (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : akyak (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : almfw (87732 bytes) C:\WINDOWS\_DEFAULT.PIF : alyfs (87732 bytes) C:\WINDOWS\_DEFAULT.PIF : amdiu (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : amejq (89598 bytes) C:\WINDOWS\_DEFAULT.PIF : amfign (34958 bytes) C:\WINDOWS\_DEFAULT.PIF : amopa (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : amqmx (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : amvoy (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : amxcz (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : andzx (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : anlny (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : anruf (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : ansmh (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : antil (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : anxmgr (0 bytes) C:\WINDOWS\_DEFAULT.PIF : anyca (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : anylz (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : aogqy (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : aonqym (0 bytes) C:\WINDOWS\_DEFAULT.PIF : apchka (0 bytes) C:\WINDOWS\_DEFAULT.PIF : apffm (35081 bytes) C:\WINDOWS\_DEFAULT.PIF : apvbl (89300 bytes) C:\WINDOWS\_DEFAULT.PIF : apxjn (89300 bytes)

08-27-2005, 05:48 PM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	Hi Oller - Well Done! Yup, I think we're done here. One other tool you should have in your arsenal is AdawareSE. Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds. CCleaner is a small utility which will, among other things, search for and clean out orphaned registry entries.....things which don't really belong any more, from uninstalled programs. It also will clean out TEMP files, cookies, Internet History. CCleaner Be sure to check out the new tutorial on their site. Our work here is done. Please take advantage of the prevention info I've provided earlier. Happy computing, and Safe Surfing to you! __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-28-2005, 01:49 AM	#15 (permalink)
Oller Registered User Join Date: Aug 2005 Posts: 8 OS: XP	Thanks Thanks a million!!! You are true heroes! // Oller