540.filost.com & other problems.

cool_user123 · 04-14-2006, 07:11 AM

I am encountering the following problems. I would very much appreciate your help on these problems. I have enclosed the HJT log below. I run both Windows 98 SE & Windows XP Pro in my system and use Norton Antivirus 2002. Thanks.

1) Numerous popups opening up because of 540.filost.com (After installating & cleaning up the system with tools advised by this forum, I am not getting the popups, but could you please check if remnants of it are still out there in the system).

2) The internet connection settings in the connections folder (for the broadband connection I use) is automatically changing to wrong values & on double-clicking it wasn't showing the user name/password dialog box. Even if I manually change the properties of the connection, it reverts back to the wrong values. Sometimes I could see a telephone no. in the user name section. I suspect if it was trying to dial an international phone no. & thankfully, since mine was a broadband connection, it is not able to dial in any phone no.

3) System has literally crawled down in its speed recently (especially after the 540.filost.com problem cropped up). As advised in these forums, I installated Spybot, Adaware etc - Since some these tools monitor activity to filter trojans, adware pgms etc, could it be these ones contribution to the slow speed or could it be some viruses.

Panda Active Scan results:
Incident Status Location

Dialer:dialer.baj Not disinfected F:\WINDOWS\SYSTEM32\eid.exe
Dialer:dialer.xd Not disinfected F:\WINDOWS\SYSTEM32\vbsys2.dll
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\prince@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\prince@dist.belnk[2].txt
Spyware:Cookie/Microsofte Not disinfected C:\WINDOWS\Cookies\prince@microsofteup.112.2o7[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\prince@burstnet[1].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\prince@xiti[1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\prince@com[2].txt

HJT Log from Win XP:
Logfile of HijackThis v1.99.1
Scan saved at 7:29:33 PM, on 4/14/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
F:\WINDOWS\System32\cisvc.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\tcpsvcs.exe
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\System32\ups.exe
F:\WINDOWS\System32\cidaemon.exe
F:\WINDOWS\System32\cidaemon.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\sm56hlpr.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\Mixer.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe
F:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
F:\Program Files\Yahoo!\Messenger\YPager.exe
F:\WINDOWS\System32\wbem\wmiapsrv.exe
F:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\XP\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntsfd.exe
O4 - HKLM\..\Run: [microsft windows updates] mswupdate32.exe
O4 - HKLM\..\Run: [comctsvc] F:\WINDOWS\comctsvc.exe
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [Multimedir KBD] D:\PROGRA~1\MULTIM~1\MMKBD.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RevertSettings] 8o”
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntsfd.exe
O4 - HKLM\..\RunServices: [microsft windows updates] mswupdate32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\XP\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A833CC3-024B-49AD-A2A2-5108B0B68C5D}: NameServer = 218.248.255.145 61.1.96.69
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - F:\WINDOWS\System32\vbsys2.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**Glaswegian** · 04-14-2006, 08:06 AM

Hi cool_user123 and welcome to TSF.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Disable SpyBot Tea Timer
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.

Download Ewido Anti-Malware

Install Ewido Anti-Malware
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
When you have finished updating, EXIT Ewido.

Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Uncheck the following :

Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program and reboot when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Reboot
Reboot your system in Safe Mode.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.

HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntsfd.exe
O4 - HKLM\..\Run: [microsft windows updates] mswupdate32.exe
O4 - HKLM\..\Run: [comctsvc] F:\WINDOWS\comctsvc.exe
O4 - HKLM\..\Run: [RevertSettings] 8o”
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntsfd.exe
O4 - HKLM\..\RunServices: [microsft windows updates] mswupdate32.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - F:\WINDOWS\System32\vbsys2.dll

Please remember to close all other windows, including browsers then click Fix checked.

File Deletions
Delete the following Files indicated in RED if they still exist.

ntsfd.exe <- - Go to Start > Search to find this file
mswupdate32.exe <- - Go to Start > Search to find this file
comctsvc.exe <- - Go to Start > Search to find this file
F:\WINDOWS\System32\vbsys2.dll
F:\WINDOWS\SYSTEM32\eid.exe

Run Ewido
Run Ewido with it's updated definitions (...it's important that all windows must be closed)

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with Ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If Ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save Report button at the bottom of the screen.
Save the report to your desktop

Close Ewido

NOTE: Ewido scan will require at least an hour.

Reboot
Reboot your system in Normal Mode.

Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.
Copy and paste that information in your next post.

Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

IMPORTANT!

Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2 [SP2]). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

Thank you for your cooperation.

Logs required
Ewido Log
Kaspersky Log
HijackThis Log

Please also advise how your system is performing now.

cool_user123 · 04-15-2006, 08:13 PM

Thanks a lot for your welcome note & for the time and effort you have put in to help me Glaswegian.
Please find a summary of the activities performed as advised by you below. Please let me know on whether my system is clean now & how to proceed further.

Disable SpyBot Tea Timer - Done
Show Hidden Files - Done
Run CleanUp! - Done
Reboot your system in Safe Mode - Done
HijackThis Entries - Deleted the HJT entries you had advised
File Deletions - Done
Run Ewido - Done (Report provided below)
Reboot your system in Normal Mode - Done
Online Scan using Kaspersky WebScanner - Done (Report provided below)
Install at least SP1a for both XP and IE6 - Done
Ran HJT after all the above in normal boot mode & report is provided below.

Ewido Report:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:37:11 AM, 4/15/2006
+ Report-Checksum: 73518CD9

+ Scan result:

HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup
C:\WINDOWS\Cookies\prince@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINDOWS\Cookies\prince@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Cookies\prince@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\WINDOWS\Cookies\prince@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\WINDOWS\Cookies\prince@zdnet.com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\WINDOWS\Cookies\prince@vodafonees.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Cookies\prince@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
E:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP80\A0046364.exe -> Trojan.Sporse : Cleaned with backup
E:\SOPHIA\Heart.exe -> Trojan.Sporse : Cleaned with backup
E:\baski\SOPHIA\Heart.exe -> Trojan.Sporse : Cleaned with backup
F:\Documents and Settings\raj.PRINCE\Cookies\raj@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
F:\RECYCLER\S-1-5-21-1275210071-688789844-842925246-1003\Df2.exe -> Downloader.Mediket.bt : Cleaned with backup
F:\RECYCLER\S-1-5-21-1275210071-688789844-842925246-1008\Df40.exe -> Trojan.Sporse : Cleaned with backup
F:\WINDOWS\internt.exe -> Trojan.LipGame.k : Cleaned with backup
F:\WINDOWS\system32\ggbcymbq.xgz -> Hijacker.Small.js : Cleaned with backup

::Report End

Kaspersky Report:
Saturday, April 15, 2006 4:59:58 AM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 14/04/2006
Kaspersky Anti-Virus database records: 188150

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 75092
Number of viruses found 10
Number of infected objects 27
Number of suspicious objects 0
Duration of the scan process 02:18:23

Infected Object Name Virus Name Last Action
E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.AlexaBar.a skipped

E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.AlexaBar.b skipped

E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe/stream Infected: not-a-virus:AdWare.Win32.AlexaBar.b skipped

E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe NSIS: infected - 3 skipped

F:\Program Files\Norton AntiVirus\Quarantine\001B35D7.exe Infected: Backdoor.Win32.Rbot.aeu skipped

F:\Program Files\Norton AntiVirus\Quarantine\19C66EB9.exe Infected: Packed.Win32.Tibs skipped

F:\Program Files\Norton AntiVirus\Quarantine\1E996852/Attachments,zip Infected: Email-Worm.Win32.Nyxem.e skipped

F:\Program Files\Norton AntiVirus\Quarantine\1E996852 Mail: infected - 1 skipped

F:\Program Files\Norton AntiVirus\Quarantine\1E996852 CryptFF: infected - 1 skipped

F:\Program Files\Norton AntiVirus\Quarantine\1F436F97/New Infected: Email-Worm.Win32.Nyxem.e skipped

F:\Program Files\Norton AntiVirus\Quarantine\1F436F97 Mail: infected - 1 skipped

F:\Program Files\Norton AntiVirus\Quarantine\1F436F97 CryptFF: infected - 1 skipped

F:\Program Files\Norton AntiVirus\Quarantine\1F477A25.exe Infected: Backdoor.Win32.Rbot.aeu skipped

F:\Program Files\Norton AntiVirus\Quarantine\3E025EE2.exe Infected: Backdoor.Win32.Rbot.aeu skipped

F:\Program Files\Norton AntiVirus\Quarantine\3FF751B8.exe Infected: Packed.Win32.Tibs skipped

F:\Program Files\Norton AntiVirus\Quarantine\6756763F.exe Infected: Backdoor.Win32.Rbot.aeu skipped

F:\Program Files\Norton AntiVirus\Quarantine\69BE49DE.exe Infected: Backdoor.Win32.Rbot.aeu skipped

F:\Program Files\Norton AntiVirus\Quarantine\6C4C2C23.EXE Infected: Backdoor.Win32.SdBot.aad skipped

F:\Program Files\Norton AntiVirus\Quarantine\71D018B1.exe Infected: Backdoor.Win32.Rbot.aeu skipped

F:\Program Files\Norton AntiVirus\Quarantine\76361273.exe Infected: Backdoor.Win32.Rbot.aeu skipped

F:\Program Files\Norton AntiVirus\Quarantine\7775035C.exe Infected: Backdoor.Win32.Rbot.gen skipped

F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP85\A0048609.dll Infected: Trojan-Clicker.Win32.Agent.ac skipped

F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP91\A0054022.dll Infected: Trojan-Clicker.Win32.Agent.ac skipped

F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP92\A0054053.exe Infected: Trojan.Win32.LipGame.k skipped

F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP92\A0054470.exe Infected: Trojan-Downloader.Win32.Mediket.bt skipped

F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP92\A0054473.exe Infected: Trojan-Downloader.Win32.Mediket.bt skipped

F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP92\A0054475.exe Infected: Trojan.Win32.LipGame.k skipped

Scan process completed.

HJT Report:
Logfile of HijackThis v1.99.1
Scan saved at 8:28:46 AM, on 16/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\system32\cisvc.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\Program Files\ewido anti-malware\ewidoguard.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\tcpsvcs.exe
F:\WINDOWS\System32\snmp.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\System32\ups.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\Mixer.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe
F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
F:\WINDOWS\system32\cidaemon.exe
F:\WINDOWS\system32\cidaemon.exe
D:\Program Files\Multimedia Hotkey Program\MMKbd.exe
F:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\XP\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Multimedir KBD] D:\PROGRA~1\MULTIM~1\MMKBD.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\XP\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O20 - Winlogon Notify: ComPlusSetup - F:\WINDOWS\System32\catsrvut.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**Glaswegian** · 04-16-2006, 03:43 AM

Hi again – you are most welcome.

Looking good – how is your system performing now?

This line in the Kaspersky Log

E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.AlexaBar.a skipped

Is your E: drive an optical drive or removable drive?

Please run one more online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner.

1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Post back with any log from Panda and a fresh HijackThis Log.

cool_user123 · 04-16-2006, 08:24 AM

Hi Glaswegian,

My e: drive is a hard disk. I have deleted the setup file 'E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe' & have also uninstalled the Megaupload toolbar using Control Panel.

I am currently running the online scan from Panda ActiveScan as adviced by you & will keep you posted of the results along with a new HJT log.

Thanks again for the time & energy you have put into this.

cool_user123 · 04-16-2006, 10:21 AM

hi
As you have referred scans were made using Panda and Hijackthis and the logs are given below

Panda report

Incident Status Location
Dialer:dialer.baj Not disinfected F:\WINDOWS\LASTGOOD\DOWNLOADED PROGRAM FILES\eied.inf
Dialer:dialer.xd Not disinfected F:\WINDOWS\switchagreement.txt
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@ads.pointroll[2].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@atwola[1].txt
Spyware:Cookie/QuestionMarket Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@questionmarket[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@server.iad.liveperson[2].txt
Spyware:Cookie/Toplist Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@toplist[1].txt
Spyware:Cookie/Tribalfusion Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@tribalfusion[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\prince@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\prince@dist.belnk[2].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\prince@xiti[1].txt
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@ads.pointroll[2].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@atwola[1].txt
Spyware:Cookie/QuestionMarket Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@questionmarket[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@server.iad.liveperson[2].txt
Spyware:Cookie/Toplist Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@toplist[1].txt
Spyware:Cookie/Tribalfusion Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@tribalfusion[1].txt
Adware:Adware/MediaTickets Not disinfected F:\WINDOWS\LastGood\Downloaded Program Files\eied.inf
Dialer:Dialer.ABR Not disinfected F:\WINDOWS\LastGood\Downloaded Program Files\start.INF Hijackthis report
Logfile of HijackThis v1.99.1
Scan saved at 10:30:19 PM, on 16/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\system32\cisvc.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\tcpsvcs.exe
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\System32\ups.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\Explorer.EXE
D:\PROGRA~1\MULTIM~1\MMKBD.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\Mixer.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe
F:\WINDOWS\system32\cidaemon.exe
F:\WINDOWS\System32\mssvcc.exe
F:\WINDOWS\system32\cidaemon.exe
F:\WINDOWS\System32\lup.exe
F:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\XP\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Multimedir KBD] D:\PROGRA~1\MULTIM~1\MMKBD.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [msconfig38] mssvcc.exe
O4 - HKLM\..\Run: [secures23] lup.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\XP\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O20 - Winlogon Notify: ComPlusSetup - F:\WINDOWS\System32\catsrvut.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for all the help...

**Glaswegian** · 04-16-2006, 12:55 PM

Hi again

Clear your IE cookies. Start > Settings > Control Panel > Internet Options > General tab > under Temporary files, click on Delete Cookies

Delete the following Files indicated in RED if they still exist.

C:\WINDOWS\LASTGOOD\DOWNLOADED PROGRAM FILES\eied.inf
F:\WINDOWS\switchagreement.txt
F:\WINDOWS\LastGood\Downloaded Program Files\start.INF

Any more problems? If not we’ll just tidy up then I’ll let you go.

Reset Hidden/System Files
To reset your hidden and system files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

System Restore
To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

IMPORTANT!!!
Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections; and the likely reason you are now infected. Visit Window's Update to get the KB912919 patch.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.

Ad-aware
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.

IE-SPYAD
IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Sygate Personal Firewall
ZoneAlarm
Tiny Personal Firewall

Anti Virus Software
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners:
Anti-Spyware Tutorial

Here are two very good free Antivirus products which are available:
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

How Did I Get Infected In The First Place?
The Anti-Spyware Tutorial.
Making Internet Explorer Safer.

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

cool_user123 · 04-18-2006, 09:18 AM

hi

After deleting cookies from internet options, found two of the files you mentioned were not deleted and it was manually deleted.I am in the process of downloading and installing the free programs you have mentioned.Also goin thru' the tutorials you have referred.

Thanks a lot for your help.Thanks again.

04-14-2006, 07:11 AM	#1 (permalink)
cool_user123 Registered User Join Date: Apr 2006 Location: India Posts: 5 OS: WinXP	540.filost.com & other problems. I am encountering the following problems. I would very much appreciate your help on these problems. I have enclosed the HJT log below. I run both Windows 98 SE & Windows XP Pro in my system and use Norton Antivirus 2002. Thanks. 1) Numerous popups opening up because of 540.filost.com (After installating & cleaning up the system with tools advised by this forum, I am not getting the popups, but could you please check if remnants of it are still out there in the system). 2) The internet connection settings in the connections folder (for the broadband connection I use) is automatically changing to wrong values & on double-clicking it wasn't showing the user name/password dialog box. Even if I manually change the properties of the connection, it reverts back to the wrong values. Sometimes I could see a telephone no. in the user name section. I suspect if it was trying to dial an international phone no. & thankfully, since mine was a broadband connection, it is not able to dial in any phone no. 3) System has literally crawled down in its speed recently (especially after the 540.filost.com problem cropped up). As advised in these forums, I installated Spybot, Adaware etc - Since some these tools monitor activity to filter trojans, adware pgms etc, could it be these ones contribution to the slow speed or could it be some viruses. Panda Active Scan results: Incident Status Location Dialer:dialer.baj Not disinfected F:\WINDOWS\SYSTEM32\eid.exe Dialer:dialer.xd Not disinfected F:\WINDOWS\SYSTEM32\vbsys2.dll Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\prince@belnk[1].txt Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\prince@dist.belnk[2].txt Spyware:Cookie/Microsofte Not disinfected C:\WINDOWS\Cookies\prince@microsofteup.112.2o7[1].txt Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\prince@burstnet[1].txt Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\prince@xiti[1].txt Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\prince@com[2].txt HJT Log from Win XP: Logfile of HijackThis v1.99.1 Scan saved at 7:29:33 PM, on 4/14/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe F:\WINDOWS\system32\spoolsv.exe F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe F:\WINDOWS\System32\cisvc.exe F:\Program Files\Norton AntiVirus\navapsvc.exe F:\WINDOWS\System32\tcpsvcs.exe F:\WINDOWS\System32\snmp.exe F:\WINDOWS\System32\ups.exe F:\WINDOWS\System32\cidaemon.exe F:\WINDOWS\System32\cidaemon.exe F:\WINDOWS\Explorer.EXE F:\WINDOWS\System32\sm56hlpr.exe F:\Program Files\Common Files\Symantec Shared\ccApp.exe F:\WINDOWS\Mixer.exe F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe F:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe F:\Program Files\Yahoo!\Messenger\YPager.exe F:\WINDOWS\System32\wbem\wmiapsrv.exe F:\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\XP\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntsfd.exe O4 - HKLM\..\Run: [microsft windows updates] mswupdate32.exe O4 - HKLM\..\Run: [comctsvc] F:\WINDOWS\comctsvc.exe O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe O4 - HKLM\..\Run: [Multimedir KBD] D:\PROGRA~1\MULTIM~1\MMKBD.exe O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [RevertSettings] 8o” O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntsfd.exe O4 - HKLM\..\RunServices: [microsft windows updates] mswupdate32.exe O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\XP\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3A833CC3-024B-49AD-A2A2-5108B0B68C5D}: NameServer = 218.248.255.145 61.1.96.69 O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - F:\WINDOWS\System32\vbsys2.dll O23 - Service: APC UPS Service - American Power Conversion Corporation - F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

04-14-2006, 08:06 AM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi cool_user123 and welcome to TSF. You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Disable SpyBot Tea Timer While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. Show Hidden Files Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later. Download Ewido Anti-Malware Install Ewido Anti-Malware When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido. When you have finished updating, EXIT Ewido. Run CleanUp! NOTE Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Uncheck the following : Scan local drives for temporary files Click OK, Press the CleanUp! button to start the program and reboot when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Reboot Reboot your system in Safe Mode. Restart the computer. The computer begins processing a set of instructions known as BIOS. After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key) Instead of Windows loading as normal, a menu should appear Use the arrow key to highlight Safe Mode and press Enter. HijackThis Entries Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntsfd.exe O4 - HKLM\..\Run: [microsft windows updates] mswupdate32.exe O4 - HKLM\..\Run: [comctsvc] F:\WINDOWS\comctsvc.exe O4 - HKLM\..\Run: [RevertSettings] 8o” O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntsfd.exe O4 - HKLM\..\RunServices: [microsft windows updates] mswupdate32.exe O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - F:\WINDOWS\System32\vbsys2.dll Please remember to close all other windows, including browsers then click Fix checked. File Deletions Delete the following Files indicated in RED if they still exist. ntsfd.exe <- - Go to Start > Search to find this file mswupdate32.exe <- - Go to Start > Search to find this file comctsvc.exe <- - Go to Start > Search to find this file F:\WINDOWS\System32\vbsys2.dll F:\WINDOWS\SYSTEM32\eid.exe Run Ewido Run Ewido with it's updated definitions (...it's important that all windows must be closed) Click on scanner Click on Complete System Scan and the scan will begin. NOTE: During some scans with Ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If Ewido detects a file you KNOW to be legitimate, select none as the action. DO NOT select "Perform action on all infections" If you are unsure of any entry found select none for now. When the scan is finished, click the Save Report button at the bottom of the screen. Save the report to your desktop Close Ewido NOTE: Ewido scan will require at least an hour. Reboot Reboot your system in Normal Mode. Online Scan Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note of the name(s) and location(s) of any file(s) it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan IMPORTANT! Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2 [SP2]). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online. Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here. Thank you for your cooperation. Logs required Ewido Log Kaspersky Log HijackThis Log Please also advise how your system is performing now. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

04-16-2006, 03:43 AM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again – you are most welcome. Looking good – how is your system performing now? This line in the Kaspersky Log E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.AlexaBar.a skipped Is your E: drive an optical drive or removable drive? Please run one more online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner. 1. Click Check Now and a "pop up" window will appear. Please ensure that your pop up blocker doesn't block it 2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan Post back with any log from Panda and a fresh HijackThis Log. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

04-16-2006, 12:55 PM	#7 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again Clear your IE cookies. Start > Settings > Control Panel > Internet Options > General tab > under Temporary files, click on Delete Cookies Delete the following Files indicated in RED if they still exist. C:\WINDOWS\LASTGOOD\DOWNLOADED PROGRAM FILES\eied.inf F:\WINDOWS\switchagreement.txt F:\WINDOWS\LastGood\Downloaded Program Files\start.INF Any more problems? If not we’ll just tidy up then I’ll let you go. Reset Hidden/System Files To reset your hidden and system files: Click *Start.* Open *My Computer.* Select the *Tools menu* and click *Folder Options.* Select the *View* tab. Deselect the *Show hidden files and folders* option. Select the *Hide file extensions for known types* option. Select the *Hide protected operating system files* option. Click *Yes* to confirm. Click *OK.* System Restore To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. This will create a new Restore Point. IMPORTANT!!! Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections; and the likely reason you are now infected. Visit Window's Update to get the KB912919 patch. Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here. *Ad-aware* Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here. *IE-SPYAD* IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here. *MVPS Hosts File* The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. *Alternate Browsers* Try the following free alternate browsers rather than Internet Explorer Firefox Opera *Firewalls* A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall ZoneAlarm Tiny Personal Firewall *Anti Virus Software* It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are two very good free Antivirus products which are available: Avast! AVG It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. *Other Protection* Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How Did I Get Infected In The First Place? The Anti-Spyware Tutorial. Making Internet Explorer Safer. Keep clean and safe and enjoy your computing! Please respond to this thread one more time so we can mark this thread as resolved. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

04-15-2006, 08:13 PM	#3 (permalink)
cool_user123 Registered User Join Date: Apr 2006 Location: India Posts: 5 OS: WinXP	Thanks a lot for your welcome note & for the time and effort you have put in to help me Glaswegian. Please find a summary of the activities performed as advised by you below. Please let me know on whether my system is clean now & how to proceed further. Disable SpyBot Tea Timer - Done Show Hidden Files - Done Run CleanUp! - Done Reboot your system in Safe Mode - Done HijackThis Entries - Deleted the HJT entries you had advised File Deletions - Done Run Ewido - Done (Report provided below) Reboot your system in Normal Mode - Done Online Scan using Kaspersky WebScanner - Done (Report provided below) Install at least SP1a for both XP and IE6 - Done Ran HJT after all the above in normal boot mode & report is provided below. Ewido Report: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 1:37:11 AM, 4/15/2006 + Report-Checksum: 73518CD9 + Scan result: HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup C:\WINDOWS\Cookies\prince@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup C:\WINDOWS\Cookies\prince@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\WINDOWS\Cookies\prince@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup C:\WINDOWS\Cookies\prince@com[2].txt -> TrackingCookie.Com : Cleaned with backup C:\WINDOWS\Cookies\prince@zdnet.com[1].txt -> TrackingCookie.Com : Cleaned with backup C:\WINDOWS\Cookies\prince@vodafonees.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\WINDOWS\Cookies\prince@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup E:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP80\A0046364.exe -> Trojan.Sporse : Cleaned with backup E:\SOPHIA\Heart.exe -> Trojan.Sporse : Cleaned with backup E:\baski\SOPHIA\Heart.exe -> Trojan.Sporse : Cleaned with backup F:\Documents and Settings\raj.PRINCE\Cookies\raj@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup F:\RECYCLER\S-1-5-21-1275210071-688789844-842925246-1003\Df2.exe -> Downloader.Mediket.bt : Cleaned with backup F:\RECYCLER\S-1-5-21-1275210071-688789844-842925246-1008\Df40.exe -> Trojan.Sporse : Cleaned with backup F:\WINDOWS\internt.exe -> Trojan.LipGame.k : Cleaned with backup F:\WINDOWS\system32\ggbcymbq.xgz -> Hijacker.Small.js : Cleaned with backup ::Report End Kaspersky Report: Saturday, April 15, 2006 4:59:58 AM Operating System: Microsoft Windows XP Professional, (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 14/04/2006 Kaspersky Anti-Virus database records: 188150 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics Total number of scanned objects 75092 Number of viruses found 10 Number of infected objects 27 Number of suspicious objects 0 Duration of the scan process 02:18:23 Infected Object Name Virus Name Last Action E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.AlexaBar.a skipped E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.AlexaBar.b skipped E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe/stream Infected: not-a-virus:AdWare.Win32.AlexaBar.b skipped E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe NSIS: infected - 3 skipped F:\Program Files\Norton AntiVirus\Quarantine\001B35D7.exe Infected: Backdoor.Win32.Rbot.aeu skipped F:\Program Files\Norton AntiVirus\Quarantine\19C66EB9.exe Infected: Packed.Win32.Tibs skipped F:\Program Files\Norton AntiVirus\Quarantine\1E996852/Attachments,zip Infected: Email-Worm.Win32.Nyxem.e skipped F:\Program Files\Norton AntiVirus\Quarantine\1E996852 Mail: infected - 1 skipped F:\Program Files\Norton AntiVirus\Quarantine\1E996852 CryptFF: infected - 1 skipped F:\Program Files\Norton AntiVirus\Quarantine\1F436F97/New Infected: Email-Worm.Win32.Nyxem.e skipped F:\Program Files\Norton AntiVirus\Quarantine\1F436F97 Mail: infected - 1 skipped F:\Program Files\Norton AntiVirus\Quarantine\1F436F97 CryptFF: infected - 1 skipped F:\Program Files\Norton AntiVirus\Quarantine\1F477A25.exe Infected: Backdoor.Win32.Rbot.aeu skipped F:\Program Files\Norton AntiVirus\Quarantine\3E025EE2.exe Infected: Backdoor.Win32.Rbot.aeu skipped F:\Program Files\Norton AntiVirus\Quarantine\3FF751B8.exe Infected: Packed.Win32.Tibs skipped F:\Program Files\Norton AntiVirus\Quarantine\6756763F.exe Infected: Backdoor.Win32.Rbot.aeu skipped F:\Program Files\Norton AntiVirus\Quarantine\69BE49DE.exe Infected: Backdoor.Win32.Rbot.aeu skipped F:\Program Files\Norton AntiVirus\Quarantine\6C4C2C23.EXE Infected: Backdoor.Win32.SdBot.aad skipped F:\Program Files\Norton AntiVirus\Quarantine\71D018B1.exe Infected: Backdoor.Win32.Rbot.aeu skipped F:\Program Files\Norton AntiVirus\Quarantine\76361273.exe Infected: Backdoor.Win32.Rbot.aeu skipped F:\Program Files\Norton AntiVirus\Quarantine\7775035C.exe Infected: Backdoor.Win32.Rbot.gen skipped F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP85\A0048609.dll Infected: Trojan-Clicker.Win32.Agent.ac skipped F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP91\A0054022.dll Infected: Trojan-Clicker.Win32.Agent.ac skipped F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP92\A0054053.exe Infected: Trojan.Win32.LipGame.k skipped F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP92\A0054470.exe Infected: Trojan-Downloader.Win32.Mediket.bt skipped F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP92\A0054473.exe Infected: Trojan-Downloader.Win32.Mediket.bt skipped F:\System Volume Information\_restore{58383ED5-9EF0-4E5E-B3C4-96F29C7B3799}\RP92\A0054475.exe Infected: Trojan.Win32.LipGame.k skipped Scan process completed. HJT Report: Logfile of HijackThis v1.99.1 Scan saved at 8:28:46 AM, on 16/04/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\system32\spoolsv.exe F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe F:\WINDOWS\system32\cisvc.exe F:\WINDOWS\Explorer.EXE F:\Program Files\ewido anti-malware\ewidoctrl.exe F:\Program Files\ewido anti-malware\ewidoguard.exe F:\Program Files\Norton AntiVirus\navapsvc.exe F:\WINDOWS\System32\tcpsvcs.exe F:\WINDOWS\System32\snmp.exe F:\Program Files\Common Files\Symantec Shared\ccApp.exe F:\WINDOWS\System32\ups.exe F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe F:\WINDOWS\Mixer.exe F:\Program Files\Messenger\msmsgs.exe F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe F:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe F:\WINDOWS\system32\cidaemon.exe F:\WINDOWS\system32\cidaemon.exe D:\Program Files\Multimedia Hotkey Program\MMKbd.exe F:\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\XP\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Multimedir KBD] D:\PROGRA~1\MULTIM~1\MMKBD.exe O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\XP\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O20 - Winlogon Notify: ComPlusSetup - F:\WINDOWS\System32\catsrvut.dll O23 - Service: APC UPS Service - American Power Conversion Corporation - F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

04-16-2006, 08:24 AM	#5 (permalink)
cool_user123 Registered User Join Date: Apr 2006 Location: India Posts: 5 OS: WinXP	Hi Glaswegian, My e: drive is a hard disk. I have deleted the setup file 'E:\setups\Megaupload-20 (Toolbar for Mega Upload website).exe' & have also uninstalled the Megaupload toolbar using Control Panel. I am currently running the online scan from Panda ActiveScan as adviced by you & will keep you posted of the results along with a new HJT log. Thanks again for the time & energy you have put into this.

04-16-2006, 10:21 AM	#6 (permalink)
cool_user123 Registered User Join Date: Apr 2006 Location: India Posts: 5 OS: WinXP	hi As you have referred scans were made using Panda and Hijackthis and the logs are given below Panda report Incident Status Location Dialer:dialer.baj Not disinfected F:\WINDOWS\LASTGOOD\DOWNLOADED PROGRAM FILES\eied.inf Dialer:dialer.xd Not disinfected F:\WINDOWS\switchagreement.txt Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@2o7[1].txt Spyware:Cookie/PointRoll Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@ads.pointroll[2].txt Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@atwola[1].txt Spyware:Cookie/QuestionMarket Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@questionmarket[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@server.iad.liveperson[2].txt Spyware:Cookie/Toplist Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@toplist[1].txt Spyware:Cookie/Tribalfusion Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@tribalfusion[1].txt Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\prince@belnk[1].txt Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\prince@dist.belnk[2].txt Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\prince@xiti[1].txt Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@2o7[1].txt Spyware:Cookie/PointRoll Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@ads.pointroll[2].txt Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@atwola[1].txt Spyware:Cookie/QuestionMarket Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@questionmarket[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@server.iad.liveperson[2].txt Spyware:Cookie/Toplist Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@toplist[1].txt Spyware:Cookie/Tribalfusion Not disinfected F:\Documents and Settings\raj.PRINCE\Cookies\raj@tribalfusion[1].txt Adware:Adware/MediaTickets Not disinfected F:\WINDOWS\LastGood\Downloaded Program Files\eied.inf Dialer:Dialer.ABR Not disinfected F:\WINDOWS\LastGood\Downloaded Program Files\start.INF Hijackthis report Logfile of HijackThis v1.99.1 Scan saved at 10:30:19 PM, on 16/04/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\system32\spoolsv.exe F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe F:\WINDOWS\system32\cisvc.exe F:\Program Files\ewido anti-malware\ewidoctrl.exe F:\Program Files\Norton AntiVirus\navapsvc.exe F:\WINDOWS\System32\tcpsvcs.exe F:\WINDOWS\System32\snmp.exe F:\WINDOWS\System32\ups.exe F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe F:\WINDOWS\Explorer.EXE D:\PROGRA~1\MULTIM~1\MMKBD.exe F:\Program Files\Common Files\Symantec Shared\ccApp.exe F:\WINDOWS\Mixer.exe F:\Program Files\Messenger\msmsgs.exe F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe F:\WINDOWS\system32\cidaemon.exe F:\WINDOWS\System32\mssvcc.exe F:\WINDOWS\system32\cidaemon.exe F:\WINDOWS\System32\lup.exe F:\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\XP\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Multimedir KBD] D:\PROGRA~1\MULTIM~1\MMKBD.exe O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [msconfig38] mssvcc.exe O4 - HKLM\..\Run: [secures23] lup.exe O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\XP\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\1.0.384.22153\GoogleUpdater.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O20 - Winlogon Notify: ComPlusSetup - F:\WINDOWS\System32\catsrvut.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Thanks for all the help...

04-18-2006, 09:18 AM	#8 (permalink)
cool_user123 Registered User Join Date: Apr 2006 Location: India Posts: 5 OS: WinXP	hi After deleting cookies from internet options, found two of the files you mentioned were not deleted and it was manually deleted.I am in the process of downloading and installing the free programs you have mentioned.Also goin thru' the tutorials you have referred. Thanks a lot for your help.Thanks again.