I thought I was clean.

BadmoJoe · 12-01-2005, 08:25 AM

I thought I was virus free and was asking for help on a corrupt driver problem when Geekgirl suggested I might have something suspicious in my HJT log and asked that I post it here. Can anyone help?

Thanks!!!

Joe

HiJack This...

Logfile of HijackThis v1.99.1
Scan saved at 4:31:04 PM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\6n9c.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [zgbpfp] C:\WINDOWS\System32\zgbpfp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: NDWCab -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Vikesrock8411 · 12-01-2005, 10:02 AM

Hello BadmoJoe and welcome to TSF

I would reccommend that you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads(make sure to save these in a permanent location)
Cleanup! (Alternate Link)- Install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O2 - BHO: (no name) - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\6n9c.dll
O4 - HKLM\..\Run: [zgbpfp] C:\WINDOWS\System32\zgbpfp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O16 - DPF: NDWCab -

Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\WINDOWS\SYSTEM32\6n9c.dll
C:\WINDOWS\System32\zgbpfp.exe

Tools
Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Uncheck the following :

Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program. If prompted to reboot, click No.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC.

Reboot your system in Normal Mode.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post please include:

Ewido Log
Panda Activescan Log
A new Hijackthis! Log

BadmoJoe · 12-01-2005, 10:54 AM

Thanks for the welcome and you suggestions. I will carry out all of your instructions as soon as I can get past my lastest problem posted in this thread.

The problems seem to be getting worse. After getting some great help from here I was able to boot up normally last night with only the registry repair error quoted but when I came in this morning, it had gotten worse.

I don't mean to have two threads going but they seemed to be two seperate problems until this morning.

Thanks!

Joe

Vikesrock8411 · 12-01-2005, 11:00 AM

Try the instructions here for the error described in your other thread.

BadmoJoe · 12-05-2005, 03:24 PM

Wow, what an ordeal that was. I was able to fix my "Windows cannot start..." error and finally carry out all of your instructions. Below are the logs requested.

I should mention that I ended up having to restore my system file from a restore point. I chose one from a couple of weeks ago and when I went to the HiJackThis step there was one entry that wasn't there anymore.
O4 - HKLM\..\Run:[KernelFaultCheck]... No longer was on the list so I couldn't delete it. On to the logs...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:18:49 PM, 12/05/2005
+ Report-Checksum: C61E1BB2

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Security -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Enum -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc\Security -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc\Enum -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-2538372485-908771968-2382075835-1007\Software\WinUpdt -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
C:\command.exe -> Dropper.Delf.ev : Cleaned with backup
C:\Program Files\Common Files\qfuz\qfuzd\qfuzc.dll -> Downloader.Small : Cleaned with backup
C:\Program Files\Hijackthis\backups\backup-20051205-131303-488.dll -> Trojan.Kolweb.f : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044070.exe -> Dropper.Agent.lu : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044378.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044379.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044402.exe -> Downloader.Lastad.r : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044464.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP395\A0049814.exe -> Dropper.Delf.ev : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061417.exe -> Spyware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061418.exe -> Spyware.BookedSpace.e : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061419.exe -> Downloader.VB.eu : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061421.exe -> Downloader.IstBar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061422.exe -> Downloader.Lastad.h : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061423.exe -> Downloader.Lastad.h : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061425.dll -> Spyware.Winsta : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061428.dll -> Trojan.Kolweb.f : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061429.exe -> Downloader.Lastad.r : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061430.dll -> Downloader.Lastad.r : Cleaned with backup
C:\WINDOWS\7r76.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI50.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASICLRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASICLV.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIEPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIEZ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIHD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIKAB.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIKAB2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIMBC.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIRCPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISS2RE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISSRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\bspace.html -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPC.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPF.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFAM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFI.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFIN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPG.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPHL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPJ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPMTV.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSHOP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPW.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WEBS1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WEBS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ZNETGP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx -> Dropper.Agent.or : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\EPXActiveX.ocx -> Downloader.Lastad.r : Cleaned with backup
C:\WINDOWS\SYSTEM32\7r76.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\SYSTEM32\epx30106.exe -> Downloader.Lastad.r : Cleaned with backup
C:\WINDOWS\SYSTEM32\ginu.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\SYSTEM32\huno3.exe -> Trojan.Kolweb.g : Cleaned with backup

::Report End

ACTIVESCAN LOG BEGIN

Incident Status Location

Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\data.~
Adware:adware/portalscan Not disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/addestroyer Not disinfected C:\Documents and Settings\Lauren Kelley\Start Menu\Programs\AdDestroyer
Adware:adware/fizzle Not disinfected C:\PROGRAM FILES\FwBarTemp
Adware:adware/searchforit Not disinfected C:\PROGRAM FILES\sf
Adware:adware/oemji Not disinfected C:\PROGRAM FILES\COMMON FILES\Oem Common
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:Adware/SearchTheWeb Not disinfected C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-2a5405f2.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-55d73068.zip[A.class]
Adware:Adware/Winstat Not disinfected C:\Program Files\Hijackthis\backups\backup-20051108-142917-299.dll
Adware:Adware/Neededware Not disinfected C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\msshed32.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll END ACTIVESCAN LOG

Logfile of HijackThis v1.99.1
Scan saved at 1:08:14 PM, on 12/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\6n9c.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [zgbpfp] C:\WINDOWS\System32\zgbpfp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\RunOnce: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe /k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: NDWCab -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Vikesrock8411 · 12-05-2005, 07:14 PM

Don't worry about kernelfaultcheck, that entry isn't malicious anyway, just unnecessary.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads(make sure to save these in a permanent location)
DelO15Domains- Right click on the link and select Save Target As or Save Link As. Save the file to your desktop. Right click on delO15domains.inf and select install. There will be no visible signs the program has run, this is normal. Note: This will also delete any restricted entries placed by Spybot's Immunize or IESpyad. If you have used either of these please run them again to remain protected

I have attached a file called ndw.zip. Download it and unzip it to your desktop. Double click on ndw.reg and click yes when asked to merge the information into the registry.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Please Disconnect your computer from the Internet. You may reconnect it when you reach the Online Scans portion of the fix.

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O2 - BHO: (no name) - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\6n9c.dll
O4 - HKLM\..\Run: [zgbpfp] C:\WINDOWS\System32\zgbpfp.exe
O16 - DPF: NDWCab -
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Launch KillBox.exe & select the following options:

delete on Reboot

Copy and Paste these files into Killbox one at a time following the directions below after each one. After the last file click yes at the "Pending Operations prompt".

C:\WINDOWS\SYSTEM32\6n9c.dll
C:\Program Files\Common Files\qfuz
C:\WINDOWS\System32\zgbpfp.exe
C:\WINDOWS\SYSTEM32\data.~
C:\WINDOWS\SYSTEM32\winupdt.008
C:\WINDOWS\cfgmgr52.ini
C:\Documents and Settings\Lauren Kelley\Start Menu\Programs\AdDestroyer
C:\PROGRAM FILES\FwBarTemp
C:\PROGRAM FILES\sf
C:\PROGRAM FILES\COMMON FILES\Oem Common
C:\Documents and Settings\All Users\Application Data\msw
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx
C:\WINDOWS\SYSTEM32\msshed32.exe
C:\WINDOWS\SYSTEM32\xmltok.dll

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click No at the 'Pending Operations prompt'.

Online Scans
Perform another online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post please include:

Panda Activescan Log
A new Hijackthis! Log

BadmoJoe · 12-06-2005, 09:40 AM

Ok, I have tried to do everything asked. I ran in to a problem with Panda, could I have deleted a file necessary to allow it to run? As per its instructions, I did reboot and try to run it again but to no avail. The weird part is that my computer is "working" very hard after trying to initiate the scan, almost like the scan is actually running but Panda doesn't know it is. The error message and the latest HJT log follow...

Thanks!

Joe

Panda Activescan

An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...

Logfile of HijackThis v1.99.1
Scan saved at 9:34:36 AM, on 12/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Vikesrock8411 · 12-06-2005, 09:50 AM

Please try this alternate scan

Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Standard
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

BadmoJoe · 12-06-2005, 11:31 AM

That worked, here is the Kaspersky Log...

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, December 06, 2005 11:28:39
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/12/2005
Kaspersky Anti-Virus database records: 153777
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 46705
Number of viruses found: 21
Number of infected objects: 44
Number of suspicious objects: 2
Duration of the scan process: 2320 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer3.zip/install.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer3.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-2a5405f2.zip/A.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-2a5405f2.zip Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-55d73068.zip/A.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-55d73068.zip Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED102B8.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.k
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED102B8.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED102B8.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED102B8.exe Infected: Trojan-Downloader.Win32.TSUpdate.l
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1B2D2AC5.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2F7234F4.exe Infected: Trojan-Downloader.Win32.Agent.oa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3DDE5EC1.exe Infected: Trojan-Downloader.Win32.Dyfuca.ep
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\434A16B6.tmp Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\58A52336.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F033585.exe Infected: Trojan-Downloader.Win32.Small.akz
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\60291CB6.exe Infected: Trojan.Win32.Small.cy
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\674937D1.tmp Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6BFF2B3B.exe Infected: Trojan-Downloader.Win32.Apropo.ab
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C107D29.EXE/WISE0001.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C107D29.EXE/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C107D29.EXE Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C2A4D0C.exe Infected: Trojan.Win32.Pakes
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C302105.exe Infected: Trojan.Win32.Pakes
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C3774FE.exe Infected: Trojan-Downloader.Win32.TSUpdate.l
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C3A1EFA.exe Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C3D48F7.exe Infected: Trojan-Downloader.Win32.VB.eu
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C546EDE.exe/WISE0001.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C546EDE.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C546EDE.exe Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C5E6CD3.exe Infected: Trojan-Downloader.Win32.Wintool.f
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78D74A7D.exe Infected: Trojan-Downloader.Win32.Wintool.f
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044067.exe Infected: Trojan-Downloader.Win32.Delf.zw
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044336.exe Infected: Trojan-Downloader.Win32.Delf.zw
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044398.exe Infected: Trojan-Downloader.Win32.Delf.zw
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044408.exe Infected: Trojan-Downloader.Win32.Delf.zw
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044416.exe Infected: Trojan-Downloader.Win32.Delf.zw
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044456.exe Infected: Trojan-Downloader.Win32.Delf.zw
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061398.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061465.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061467.sys Infected: Trojan.Win32.Kolweb.g
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061468.sys Infected: Trojan.Win32.Kolweb.g
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061469.exe Infected: Trojan-Downloader.Win32.Lastad.r
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061470.exe Infected: Trojan.Win32.Kolweb.g
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061471.exe Infected: Trojan.Win32.Kolweb.g
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP400\A0061535.exe Infected: Trojan-Downloader.Win32.Delf.zw

Scan process completed.

Vikesrock8411 · 12-06-2005, 11:41 AM

Please follow the instructions here to clear Sun Java's cache.

Please follow Symantec’s Guide to clean out your Norton quarantine.

Please open Spybot Search and Destroy and click the Recovery button. Put a check next to each item then click Purge selected items.

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

Please remember to close all other windows, including browsers then click Fix checked.

Try running another Panda Scan.
Note: I do not need the results from this scan if you do not want to wait for it to finish. I am just looking to see if this solves the problem it was having.

How is your system now? Are there any remaining problems?

BadmoJoe · 12-06-2005, 11:57 AM

That didn't seem to work, I still get the same error. Not a huge deal though. Everything else seems to be back to normal. Do I need to worry about the virus' in the restore points that Kaspersky found?

Other than that, everything seems to be running smoothly and faster. Obviously there is a big difference between "thinking you are clean" and "actually being clean". :)

Thanks so much for your help.

Joe

Vikesrock8411 · 12-06-2005, 12:01 PM

The entries flagged in the restore points are not dangerous unless you bring them back by using System Restore. Now that you are clean we will clear the old infected Restore Points and set new clean ones in case you ever have to use it in the future.

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Disabling the Viewing of Hidden and System Files

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Setting a new Restore Point
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.

Tick the checkbox - Turn off System Restore on all drives
Click Apply
Turn it back 'On' by unticking the same checkbox & click OK

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Avast! Home Edition (Antivirus & Firewall)

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

BadmoJoe · 12-06-2005, 02:44 PM

Thanks for the help, you can call this one resolved.

Joe

12-01-2005, 08:25 AM	#1 (permalink)
BadmoJoe Registered User Join Date: Nov 2005 Posts: 15 OS: XP	I thought I was clean. I thought I was virus free and was asking for help on a corrupt driver problem when Geekgirl suggested I might have something suspicious in my HJT log and asked that I post it here. Can anyone help? Thanks!!! Joe HiJack This... Logfile of HijackThis v1.99.1 Scan saved at 4:31:04 PM, on 11/28/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com O2 - BHO: (no name) - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - (no file) O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\6n9c.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe O4 - HKLM\..\Run: [zgbpfp] C:\WINDOWS\System32\zgbpfp.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: NDWCab - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

12-01-2005, 10:02 AM	#2 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Hello BadmoJoe and welcome to TSF I would reccommend that you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads(make sure to save these in a permanent location) Cleanup! (Alternate Link)- Install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does not make backups. Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O2 - BHO: (no name) - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - (no file) O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\6n9c.dll O4 - HKLM\..\Run: [zgbpfp] C:\WINDOWS\System32\zgbpfp.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O16 - DPF: NDWCab - *Please remember to close all other windows, including browsers then click Fix checked.* File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\SYSTEM32\6n9c.dll C:\WINDOWS\System32\zgbpfp.exe Tools Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Uncheck the following : Scan local drives for temporary files Click OK, Press the CleanUp! button to start the program. If prompted to reboot, click No. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC. Reboot your system in Normal Mode. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include: Ewido Log Panda Activescan Log A new Hijackthis! Log

12-01-2005, 10:54 AM	#3 (permalink)
BadmoJoe Registered User Join Date: Nov 2005 Posts: 15 OS: XP	Ack Thanks for the welcome and you suggestions. I will carry out all of your instructions as soon as I can get past my lastest problem posted in this thread. The problems seem to be getting worse. After getting some great help from here I was able to boot up normally last night with only the registry repair error quoted but when I came in this morning, it had gotten worse. I don't mean to have two threads going but they seemed to be two seperate problems until this morning. Thanks! Joe

12-05-2005, 03:24 PM	#5 (permalink)
BadmoJoe Registered User Join Date: Nov 2005 Posts: 15 OS: XP	Back up and able to scan Wow, what an ordeal that was. I was able to fix my "Windows cannot start..." error and finally carry out all of your instructions. Below are the logs requested. I should mention that I ended up having to restore my system file from a restore point. I chose one from a couple of weeks ago and when I went to the HiJackThis step there was one entry that wasn't there anymore. O4 - HKLM\..\Run:[KernelFaultCheck]... No longer was on the list so I couldn't delete it. On to the logs... --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 2:18:49 PM, 12/05/2005 + Report-Checksum: C61E1BB2 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A} -> Spyware.WebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc -> Spyware.WebSearch : Cleaned with backup HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Security -> Spyware.WebSearch : Cleaned with backup HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Enum -> Spyware.WebSearch : Cleaned with backup HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc -> Spyware.WebSearch : Cleaned with backup HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc\Security -> Spyware.WebSearch : Cleaned with backup HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc\Enum -> Spyware.WebSearch : Cleaned with backup HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup HKU\S-1-5-21-2538372485-908771968-2382075835-1007\Software\WinUpdt -> Spyware.SecondThought : Cleaned with backup HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Cleaned with backup C:\command.exe -> Dropper.Delf.ev : Cleaned with backup C:\Program Files\Common Files\qfuz\qfuzd\qfuzc.dll -> Downloader.Small : Cleaned with backup C:\Program Files\Hijackthis\backups\backup-20051205-131303-488.dll -> Trojan.Kolweb.f : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044070.exe -> Dropper.Agent.lu : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044378.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044379.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044402.exe -> Downloader.Lastad.r : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044464.exe -> Trojan.Kolweb.g : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP395\A0049814.exe -> Dropper.Delf.ev : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061417.exe -> Spyware.Mirar : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061418.exe -> Spyware.BookedSpace.e : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061419.exe -> Downloader.VB.eu : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061421.exe -> Downloader.IstBar : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061422.exe -> Downloader.Lastad.h : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061423.exe -> Downloader.Lastad.h : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061425.dll -> Spyware.Winsta : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061428.dll -> Trojan.Kolweb.f : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061429.exe -> Downloader.Lastad.r : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061430.dll -> Downloader.Lastad.r : Cleaned with backup C:\WINDOWS\7r76.sys -> Trojan.Kolweb.g : Cleaned with backup C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASI2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASI50.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASICLRE.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASICLV.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIEPRE.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIEZ.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIHD.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIKAB.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIKAB2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIMBC.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIRCPRE.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASISS2RE.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASISSRE.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\bspace.html -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPC.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPD.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPE.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPF.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPFAM.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPFI.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPFIN.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPG.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPH.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPHL.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPJ.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPM.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPMTV.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPN.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPR.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPS.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPSHOP.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPSP.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMPW.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\WEBS1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\WEBS2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ZNETGP.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx -> Dropper.Agent.or : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.2\EPXActiveX.ocx -> Downloader.Lastad.r : Cleaned with backup C:\WINDOWS\SYSTEM32\7r76.sys -> Trojan.Kolweb.g : Cleaned with backup C:\WINDOWS\SYSTEM32\epx30106.exe -> Downloader.Lastad.r : Cleaned with backup C:\WINDOWS\SYSTEM32\ginu.exe -> Trojan.Kolweb.g : Cleaned with backup C:\WINDOWS\SYSTEM32\huno3.exe -> Trojan.Kolweb.g : Cleaned with backup ::Report End ACTIVESCAN LOG BEGIN Incident Status Location Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\data.~ Adware:adware/portalscan Not disinfected C:\WINDOWS\SYSTEM32\winupdt.008 Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini Adware:adware/addestroyer Not disinfected C:\Documents and Settings\Lauren Kelley\Start Menu\Programs\AdDestroyer Adware:adware/fizzle Not disinfected C:\PROGRAM FILES\FwBarTemp Adware:adware/searchforit Not disinfected C:\PROGRAM FILES\sf Adware:adware/oemji Not disinfected C:\PROGRAM FILES\COMMON FILES\Oem Common Adware:adware/ist.sidefind Not disinfected Windows Registry Adware:Adware/SearchTheWeb Not disinfected C:\Documents and Settings\All Users\Application Data\msw\MSW.exe Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-2a5405f2.zip[A.class] Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-55d73068.zip[A.class] Adware:Adware/Winstat Not disinfected C:\Program Files\Hijackthis\backups\backup-20051108-142917-299.dll Adware:Adware/Neededware Not disinfected C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\msshed32.exe Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll END ACTIVESCAN LOG Logfile of HijackThis v1.99.1 Scan saved at 1:08:14 PM, on 12/05/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com O2 - BHO: (no name) - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - (no file) O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\6n9c.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe O4 - HKLM\..\Run: [zgbpfp] C:\WINDOWS\System32\zgbpfp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\RunOnce: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe /k O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\RunOnce: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe /k O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: NDWCab - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing) O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

12-05-2005, 07:14 PM	#6 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Don't worry about kernelfaultcheck, that entry isn't malicious anyway, just unnecessary. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads(make sure to save these in a permanent location) DelO15Domains- Right click on the link and select Save Target As or Save Link As. Save the file to your desktop. Right click on delO15domains.inf and select install. There will be no visible signs the program has run, this is normal. Note: This will also delete any restricted entries placed by Spybot's Immunize or IESpyad. If you have used either of these please run them again to remain protected I have attached a file called ndw.zip. Download it and unzip it to your desktop. Double click on ndw.reg and click yes when asked to merge the information into the registry. KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175) Please Disconnect your computer from the Internet. You may reconnect it when you reach the Online Scans portion of the fix. HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O2 - BHO: (no name) - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - (no file) O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\6n9c.dll O4 - HKLM\..\Run: [zgbpfp] C:\WINDOWS\System32\zgbpfp.exe O16 - DPF: NDWCab - O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing) O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* Launch KillBox.exe & select the following options: delete on Reboot Copy and Paste these files into Killbox one at a time following the directions below after each one. After the last file click yes at the "Pending Operations prompt". C:\WINDOWS\SYSTEM32\6n9c.dll C:\Program Files\Common Files\qfuz C:\WINDOWS\System32\zgbpfp.exe C:\WINDOWS\SYSTEM32\data.~ C:\WINDOWS\SYSTEM32\winupdt.008 C:\WINDOWS\cfgmgr52.ini C:\Documents and Settings\Lauren Kelley\Start Menu\Programs\AdDestroyer C:\PROGRAM FILES\FwBarTemp C:\PROGRAM FILES\sf C:\PROGRAM FILES\COMMON FILES\Oem Common C:\Documents and Settings\All Users\Application Data\msw C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx C:\WINDOWS\SYSTEM32\msshed32.exe C:\WINDOWS\SYSTEM32\xmltok.dll * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click No at the 'Pending Operations prompt'. Online Scans Perform another online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include: Panda Activescan Log A new Hijackthis! Log

12-01-2005, 11:00 AM	#4 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Try the instructions here for the error described in your other thread.

12-06-2005, 09:40 AM	#7 (permalink)
BadmoJoe Registered User Join Date: Nov 2005 Posts: 15 OS: XP	Ok, I have tried to do everything asked. I ran in to a problem with Panda, could I have deleted a file necessary to allow it to run? As per its instructions, I did reboot and try to run it again but to no avail. The weird part is that my computer is "working" very hard after trying to initiate the scan, almost like the scan is actually running but Panda doesn't know it is. The error message and the latest HJT log follow... Thanks! Joe Panda Activescan An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are: Not allowing the application's ActiveX control to be downloaded. Problems with the Internet connection. The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... Logfile of HijackThis v1.99.1 Scan saved at 9:34:36 AM, on 12/06/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

12-06-2005, 09:50 AM	#8 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Please try this alternate scan Please open IE and go to Kaspersky WebScanner Next Click on Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. * Turn off the real time scanner of any existing antivirus program while performing the online scan

12-06-2005, 11:31 AM	#9 (permalink)
BadmoJoe Registered User Join Date: Nov 2005 Posts: 15 OS: XP	That worked, here is the Kaspersky Log... ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Tuesday, December 06, 2005 11:28:39 Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 6/12/2005 Kaspersky Anti-Virus database records: 153777 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 46705 Number of viruses found: 21 Number of infected objects: 44 Number of suspicious objects: 2 Duration of the scan process: 2320 sec Infected Object Name - Virus Name C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer3.zip/install.exe Suspicious: Password-protected-EXE C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer3.zip Suspicious: Password-protected-EXE C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-2a5405f2.zip/A.class Infected: Exploit.Java.Bytverify C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-2a5405f2.zip Infected: Exploit.Java.Bytverify C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-55d73068.zip/A.class Infected: Exploit.Java.Bytverify C:\Documents and Settings\Lauren Kelley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-55d73068.zip Infected: Exploit.Java.Bytverify C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED102B8.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.k C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED102B8.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED102B8.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED102B8.exe Infected: Trojan-Downloader.Win32.TSUpdate.l C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1B2D2AC5.exe Infected: Trojan-Downloader.Win32.Adload.a C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2F7234F4.exe Infected: Trojan-Downloader.Win32.Agent.oa C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3DDE5EC1.exe Infected: Trojan-Downloader.Win32.Dyfuca.ep C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\434A16B6.tmp Infected: Exploit.Java.Bytverify C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\58A52336.exe Infected: Trojan-Dropper.Win32.Agent.lu C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F033585.exe Infected: Trojan-Downloader.Win32.Small.akz C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\60291CB6.exe Infected: Trojan.Win32.Small.cy C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\674937D1.tmp Infected: Exploit.Java.Bytverify C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6BFF2B3B.exe Infected: Trojan-Downloader.Win32.Apropo.ab C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C107D29.EXE/WISE0001.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C107D29.EXE/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C107D29.EXE Infected: Trojan-Downloader.Win32.TSUpdate.f C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C2A4D0C.exe Infected: Trojan.Win32.Pakes C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C302105.exe Infected: Trojan.Win32.Pakes C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C3774FE.exe Infected: Trojan-Downloader.Win32.TSUpdate.l C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C3A1EFA.exe Infected: Trojan-Downloader.Win32.TSUpdate.j C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C3D48F7.exe Infected: Trojan-Downloader.Win32.VB.eu C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C546EDE.exe/WISE0001.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C546EDE.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C546EDE.exe Infected: Trojan-Downloader.Win32.TSUpdate.f C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C5E6CD3.exe Infected: Trojan-Downloader.Win32.Wintool.f C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78D74A7D.exe Infected: Trojan-Downloader.Win32.Wintool.f C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044067.exe Infected: Trojan-Downloader.Win32.Delf.zw C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044336.exe Infected: Trojan-Downloader.Win32.Delf.zw C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044398.exe Infected: Trojan-Downloader.Win32.Delf.zw C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044408.exe Infected: Trojan-Downloader.Win32.Delf.zw C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044416.exe Infected: Trojan-Downloader.Win32.Delf.zw C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP384\A0044456.exe Infected: Trojan-Downloader.Win32.Delf.zw C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061398.exe Infected: Trojan-Downloader.Win32.Agent.jq C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061465.exe Infected: Trojan-Dropper.Win32.Delf.ev C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061467.sys Infected: Trojan.Win32.Kolweb.g C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061468.sys Infected: Trojan.Win32.Kolweb.g C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061469.exe Infected: Trojan-Downloader.Win32.Lastad.r C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061470.exe Infected: Trojan.Win32.Kolweb.g C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP399\A0061471.exe Infected: Trojan.Win32.Kolweb.g C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP400\A0061535.exe Infected: Trojan-Downloader.Win32.Delf.zw Scan process completed.

12-06-2005, 11:41 AM	#10 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Please follow the instructions here to clear Sun Java's cache. Please follow Symantec’s Guide to clean out your Norton quarantine. Please open Spybot Search and Destroy and click the Recovery button. Put a check next to each item then click Purge selected items. HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab *Please remember to close all other windows, including browsers then click Fix checked.* Try running another Panda Scan. Note: I do not need the results from this scan if you do not want to wait for it to finish. I am just looking to see if this solves the problem it was having. How is your system now? Are there any remaining problems?

12-06-2005, 11:57 AM	#11 (permalink)
BadmoJoe Registered User Join Date: Nov 2005 Posts: 15 OS: XP	That didn't seem to work, I still get the same error. Not a huge deal though. Everything else seems to be back to normal. Do I need to worry about the virus' in the restore points that Kaspersky found? Other than that, everything seems to be running smoothly and faster. Obviously there is a big difference between "thinking you are clean" and "actually being clean". :) Thanks so much for your help. Joe

12-06-2005, 12:01 PM	#12 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	The entries flagged in the restore points are not dangerous unless you bring them back by using System Restore. Now that you are clean we will clear the old infected Restore Points and set new clean ones in case you ever have to use it in the future. Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved. Disabling the Viewing of Hidden and System Files Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Setting a new Restore Point Go to Start >> Run - type control sysdm.cpl,,4 & press Enter. Tick the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK Windows Update Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site. Prevention A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include: AVG Free Avast! Home Edition (Antivirus & Firewall) AntiVir A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are: Zone Alarm Outpost Tiny Personal Firewall Avast! Home Edition (Antivirus & Firewall) Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses. IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC. The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed. Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all. Alternative Programs Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Desktop Weather - Free taskbar weather program that is free, malware free, and resource light. Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

12-06-2005, 02:44 PM	#13 (permalink)
BadmoJoe Registered User Join Date: Nov 2005 Posts: 15 OS: XP	Resolved Thanks for the help, you can call this one resolved. Joe