jaaste.dll

markdavies1975 · 08-26-2005, 05:59 PM

hi guys,

norton keeps telling me about this jaaste.dll that's on my system. i've run adaware, here's my hijackthis log.

thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 10:57:28 AM, on 27/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boo-lah.com/squirrelmail/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: iBurst Terminal UTL.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.co.uk/ws2/applet
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B0829D-B80B-4F3A-9FA6-0C8FCC5DF809}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\PROGRA~1\EASYPH~1\Apache\apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

tetonbob · 08-27-2005, 06:58 AM

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

Reboot into safe mode now.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

Reboot into normal mode now.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
Click On 'Scan Now'
Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
If it finds any malware, it will offer you a report. Click on see report
Then click Save report
Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please give both logs here in your next reply.

markdavies1975 · 08-28-2005, 12:07 AM

hi there, thanks for your help.

followed your instructions, here are the two reports...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:54:43 PM, 28/08/2005
+ Report-Checksum: 5CBAD648

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{12E919BC-C70F-432B-B831-1180DE734505} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{491BE5B7-A7F8-40EC-AAD4-CBA11FDFD814} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{66BD1BD0-3655-42E4-8CE9-16D3613B0B25} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{29358AA6-679D-44EA-8A51-59A3C6E6F811} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{8EA362BD-39CB-40F5-9226-73CD40999095} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1060284298-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
[784] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Cleaned with backup
[872] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
:mozilla.10:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.239:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.266:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.313:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.314:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.315:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.316:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.321:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.322:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.325:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.342:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.353:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.354:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.384:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.385:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.399:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.417:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.429:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.433:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.447:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.455:C:\Documents and Settings\Mark Davies\Application Data\Mozilla\Firefox\Profiles\azpovy57.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINDOWS\assest.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Cleaned with backup
C:\WINDOWS\KB290333.dll -> Trojan.Agent.fc : Cleaned with backup
C:\WINDOWS\sasent.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\sasetup.dll -> Dialer.Generic : Cleaned with backup

::Report End

Incident Status Location

Adware:adware/sqwire No disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:adware/isearch No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\initial.inf
Spyware:spyware/yoursitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\YSBactivex.inf
Adware:adware/gator No disinfected C:\WINDOWS\FT1_02_0_402_GEPFAH.EXE
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\MARK DAVIES\FAVORITES\Fun & Games
Dialer:dialer.asl No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/INTERNAZIONALE_VER10.OCX
Adware:adware/sidefind No disinfected Windows Registry
Dialer:Dialer.DK No disinfected C:\Documents and Settings\Mark Davies\Local Settings\Application Data\Microsoft\Internet Explorer\V0.26.dat
Dialer:Dialer.BRE No disinfected C:\Program Files\HijackThis\backups\backup-20050330-195006-831.inf
Possible Virus. No disinfected C:\Program Files\TDS3\dcsres.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\Downloaded Program Files\initial.inf
Dialer:Dialer.OK No disinfected C:\WINDOWS\Downloaded Program Files\internazionale_ver4.INF
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.inf
Possible Virus. No disinfected C:\WINDOWS\system32\drivers\disdn\servu.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Spyware:Spyware/ISTBar No disinfected C:\WINDOWS\system32\tsuninst.exe

**POADB** · 08-28-2005, 02:12 AM

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\initial.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\YSBactivex.inf
C:\WINDOWS\FT1_02_0_402_GEPFAH.EXE
C:\Documents and Settings\Mark Davies\Local Settings\Application Data\Microsoft\Internet Explorer\V0.26.dat
C:\Program Files\HijackThis\backups\backup-20050330-195006-831.inf
C:\WINDOWS\Downloaded Program Files\initial.inf
C:\WINDOWS\Downloaded Program Files\internazionale_ver4.INF
C:\WINDOWS\Downloaded Program Files\YSBactivex.inf

Delete this folder:

C:\DOCUMENTS AND SETTINGS\MARK DAVIES\FAVORITES\Fun & Games

Please visit this website - virusscan.jotti.org
Submit these file(s) for a comprehensive scan & then post the results back here.

C:\WINDOWS\system32\drivers\disdn\servu.exe

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post.

markdavies1975 · 08-29-2005, 05:53 AM

hi here are the latest reports:

Incident Status Location

Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\MARK DAVIES\FAVORITES\Going Places
Dialer:dialer.asl No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/INTERNAZIONALE_VER10.OCX
Adware:adware/sidefind No disinfected Windows Registry
Possible Virus. No disinfected C:\Program Files\TDS3\dcsres.exe
Possible Virus. No disinfected C:\WINDOWS\system32\drivers\disdn\servu.exe

for the servu file:

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found BackDoor.Servu.5009
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:Server-FTP.Win32.Serv-U.5009
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found Backdoor.ServU
VBA32 Found nothing

ta! mark.

**POADB** · 08-29-2005, 12:31 PM

Delete this folder:
C:\DOCUMENTS AND SETTINGS\MARK DAVIES\FAVORITES\Going Places

Delete this file:
C:\WINDOWS\DOWNLOADED PROGRAM FILES\INTERNAZIONALE_VER10.OCX

This file still gives me concerns. Do you use any FTP Clients? Can you find this file, right click it, got to Properties, and then Version tab, and tell us everything you can about it:
C:\WINDOWS\system32\drivers\disdn\servu.exe

did you run TMAS? If not - do it now, and return the Antispyware log it creates.

markdavies1975 · 09-01-2005, 04:34 AM

hi there,

when i restarted both servu and the internazional file were gone..! maybe one fo the progs had it assigned for deletion?

so... touch wood... i think im clean.

thanks heaps guys you rock.

**POADB** · 09-01-2005, 10:20 AM

I'll require the TMAS log and a new HJT log to determine if you're clean or not.

If you are, we'll help you setup your computer to avoid reinfections.

markdavies1975 · 09-06-2005, 06:29 PM

hi there, the TMAS log said "no spyware found". here's the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:28:31 AM, on 7/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Program Files\Unwired\UwSCT.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boo-lah.com/squirrelmail/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: iBurst Terminal UTL.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.co.uk/ws2/applet
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B0829D-B80B-4F3A-9FA6-0C8FCC5DF809}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\PROGRA~1\EASYPH~1\Apache\apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

tetonbob · 09-06-2005, 08:36 PM

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Please respond to this thread one more time so we can mark this thread as resolved.

08-26-2005, 05:59 PM	#1 (permalink)
markdavies1975 Registered User Join Date: Mar 2005 Posts: 14 OS: XP	jaaste.dll hi guys, norton keeps telling me about this jaaste.dll that's on my system. i've run adaware, here's my hijackthis log. thanks for your help. Logfile of HijackThis v1.99.1 Scan saved at 10:57:28 AM, on 27/08/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\WINDOWS\NCLAUNCH.EXe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE C:\PROGRA~1\EASYPH~1\Apache\apache.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\PROGRA~1\EASYPH~1\Apache\apache.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boo-lah.com/squirrelmail/ O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spybot\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe O4 - Global Startup: iBurst Terminal UTL.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.co.uk/ws2/applet O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B0829D-B80B-4F3A-9FA6-0C8FCC5DF809}: NameServer = 210.80.58.34 210.80.58.42 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apache - Unknown owner - C:\PROGRA~1\EASYPH~1\Apache\apache.exe" --ntservice (file missing) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MySql - Unknown owner - C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

08-27-2005, 06:58 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,573 OS: 2000 Pro; XP Pro; XP Home	Please download Ewido Security Suite at http://www.ewido.net/en/download/. 1. Install Ewido Security Suite. 2. When installing, under 'Additional Options' uncheck: * Install background guard * Install scan via context menu 3. Launch Ewido, there should be an icon on your desktop, double click it. 4. The program will now open to the main screen. 5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment. 6. You will need to update Ewido to the latest definition files. * On the left hand side of the main screen click update. * Then click on Start Update. 7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'. 8. Exit Ewido. DO NOT scan yet. Reboot into safe mode now. Now open Ewido and do a scan on your system. * Click on scanner * Click on Complete System Scan and the scan will begin. * NOTE: During some scans with Ewido it is finding cases of false positives. o You will need to step through the process of cleaning files one-by-one. o If Ewido detects a file you KNOW to be legitimate, select none as the action. o Do NOT select 'Perform action on all infections' o If you are unsure of any entry found, select none for now as the action. * Once the scan has completed, there will be a button located on the bottom of the screen named Save report * Click Save report. * Save the report .txt file to your desktop or a location where you can find it easily. Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective. Reboot into normal mode now. Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it Click On 'Scan Now' Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB Begin the scan by selecting My Computer * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. If it finds any malware, it will offer you a report. Click on see report Then click Save report Post the contents of the report in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Please give both logs here in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-28-2005, 02:12 AM	#4 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,420 OS: XP SP2	Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot): C:\WINDOWS\SYSTEM32\tsuninst.exe C:\WINDOWS\DOWNLOADED PROGRAM FILES\initial.inf C:\WINDOWS\DOWNLOADED PROGRAM FILES\YSBactivex.inf C:\WINDOWS\FT1_02_0_402_GEPFAH.EXE C:\Documents and Settings\Mark Davies\Local Settings\Application Data\Microsoft\Internet Explorer\V0.26.dat C:\Program Files\HijackThis\backups\backup-20050330-195006-831.inf C:\WINDOWS\Downloaded Program Files\initial.inf C:\WINDOWS\Downloaded Program Files\internazionale_ver4.INF C:\WINDOWS\Downloaded Program Files\YSBactivex.inf Delete this folder: C:\DOCUMENTS AND SETTINGS\MARK DAVIES\FAVORITES\Fun & Games Please visit this website - virusscan.jotti.org Submit these file(s) for a comprehensive scan & then post the results back here. C:\WINDOWS\system32\drivers\disdn\servu.exe Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop (tmas-web-scan.exe) It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post. Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post. __________________

08-29-2005, 12:31 PM	#6 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,420 OS: XP SP2	Delete this folder: C:\DOCUMENTS AND SETTINGS\MARK DAVIES\FAVORITES\Going Places Delete this file: C:\WINDOWS\DOWNLOADED PROGRAM FILES\INTERNAZIONALE_VER10.OCX This file still gives me concerns. Do you use any FTP Clients? Can you find this file, right click it, got to Properties, and then Version tab, and tell us everything you can about it: C:\WINDOWS\system32\drivers\disdn\servu.exe did you run TMAS? If not - do it now, and return the Antispyware log it creates. __________________

09-01-2005, 10:20 AM	#8 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,420 OS: XP SP2	I'll require the TMAS log and a new HJT log to determine if you're clean or not. If you are, we'll help you setup your computer to avoid reinfections. __________________

08-29-2005, 05:53 AM	#5 (permalink)
markdavies1975 Registered User Join Date: Mar 2005 Posts: 14 OS: XP	hi here are the latest reports: Incident Status Location Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\MARK DAVIES\FAVORITES\Going Places Dialer:dialer.asl No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/INTERNAZIONALE_VER10.OCX Adware:adware/sidefind No disinfected Windows Registry Possible Virus. No disinfected C:\Program Files\TDS3\dcsres.exe Possible Virus. No disinfected C:\WINDOWS\system32\drivers\disdn\servu.exe for the servu file: AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found BackDoor.Servu.5009 F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found not-a-virus:Server-FTP.Win32.Serv-U.5009 NOD32 Found nothing Norman Virus Control Found nothing UNA Found Backdoor.ServU VBA32 Found nothing ta! mark.

09-01-2005, 04:34 AM	#7 (permalink)
markdavies1975 Registered User Join Date: Mar 2005 Posts: 14 OS: XP	hi there, when i restarted both servu and the internazional file were gone..! maybe one fo the progs had it assigned for deletion? so... touch wood... i think im clean. thanks heaps guys you rock.

09-06-2005, 06:29 PM	#9 (permalink)
markdavies1975 Registered User Join Date: Mar 2005 Posts: 14 OS: XP	hi there, the TMAS log said "no spyware found". here's the hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 11:28:31 AM, on 7/09/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\WINDOWS\NCLAUNCH.EXe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE C:\Program Files\Unwired\UwSCT.exe C:\PROGRA~1\EASYPH~1\Apache\apache.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\PROGRA~1\EASYPH~1\Apache\apache.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boo-lah.com/squirrelmail/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spybot\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe O4 - Global Startup: iBurst Terminal UTL.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.co.uk/ws2/applet O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B0829D-B80B-4F3A-9FA6-0C8FCC5DF809}: NameServer = 210.80.58.34 210.80.58.42 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apache - Unknown owner - C:\PROGRA~1\EASYPH~1\Apache\apache.exe" --ntservice (file missing) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MySql - Unknown owner - C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

09-06-2005, 08:36 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,573 OS: 2000 Pro; XP Pro; XP Home	Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall Kerio Personal Firewall ZoneAlarm In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.