Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter #1
Hi, my name is Jessica and I desperately need some help with my computer. About a week ago I clicked on some link a friend sent me in an instant message (I know I feel stupid) and now I have a virus. It is really nasty and keeps sending the link out to people on my buddy list. I have run Norton Antivirus and Trendmicro, but I still have a virus message popping up everytime I start my computer. I ran HJT and the analyzer, and this is what I got:

Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:11:59 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\lock1.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\CConnect\CConnect.exe
C:\WINDOWS\system32\wisp.exe
C:\Documents and Settings\David White\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [strtas] lock1.exe
O4 - HKLM\..\Run: [MCX Update] wisp.exe
O4 - HKLM\..\RunServices: [strtas] lock1.exe
O4 - HKLM\..\RunServices: [MCX Update] wisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [strtas] lock1.exe
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127582841067
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


End of KRC HijackThis Analyzer Log.

I posted in here a while back, and everybody was really helpful. If anyone can take a look at this and give me some advice, I would very much appreciate it.
 

·
Administrator
Joined
·
4,870 Posts
Hi there

You appear to have run this log in Safe Mode. However lets run few tools before taking a look.
_________________________________________________


Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it. You will use this later.
_________________________________________________


Please make sure you run the following tools. Download and update the databases on each program before running.
_________________________________________________


Download, install,and update Ewido Security Suite
  • Install Ewido Security Suite
  • Launch Ewido, there will be a big E icon on your desktop which you must double-click.
  • The program will prompt you to update so you need to click the OK button
  • The program will take you to the main screen
You must update Ewido with the latest definition files.
  • On the left hand side of the main screen click Update
  • Click on Start
The update will start and a progress bar will show the updates being installed. After the updates are installed, exit Ewido
_________________________________________________


Reboot into Safe Mode by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
_________________________________________________


Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - Perform action on all infections. Choose clean then click [OK].
  • Once finished, click the [Save report] button and save the report to your desktop.
Close Ewido
_________________________________________________


Reboot your system in Normal Mode.
_________________________________________________


Please do an online scan at Panda ActiveScan

  1. Click on the Scan your PC button & a pop up window shall appear. *Ensure that your pop up blocker doesn't block it*
  2. Click On Next
  3. Enter your e-mail address & click Send. *It will begin downloading Panda's ActiveX controls which are about 8MB in size*
  4. In the next window, & checkmark the following:
    • Disinfect automatically
    • Scan compressed files
    • Scan e-mail files
    • Detect unknown viruses (Heuristic)
    • Detect spyware
  5. Begin the scan by selecting All My Computer

    You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.

  6. If it finds any malware, it will offer you a report. Click on see report
  7. Then click Save report
  8. Post the contents of the report in your next reply

  • If it finds any malware, it will offer you a report. Click on see report
  • Then click Save report
  • Post the contents of the report in your next reply
_________________________________________________

Paste the results of the Panda Scan and Ewido results here together with a new HiJack This log.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #3
new stuff

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:45:50 PM, 10/27/2005
+ Report-Checksum: C9901399

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{BC3BBF86-E4EC-4412-9676-8355468B3B05} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\ToolBar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-789336058-1078145449-1060284298-1004\Software\ToolBar -> Spyware.WebSearch : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Kazaa Lite\TopSearch.dll -> Spyware.Altnet : Cleaned with backup
C:\Program Files\My Love\v1r3 -> Backdoor.IRC.Mox.a : Cleaned with backup
C:\Program Files\My Love\x -> Worm.Randon.aa : Cleaned with backup
C:\RECYCLED\Dc167.exe -> Adware.MidADle : Cleaned with backup
C:\RECYCLED\Dc183.exe -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\David White\Local Settings\Temp\k2kzMdC0f.dll -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\David White\Cookies\david [email protected][3].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP280\A0015012.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP281\A0015017.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP281\A0015029.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP282\A0015054.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP282\A0015059.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP283\A0015066.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP284\A0015073.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP286\A0015080.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP287\A0015092.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP288\A0015099.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP288\A0015113.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP290\A0015214.bat -> Trojan.KillProc.a : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP292\A0015330.EXE -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP292\A0015331.exe -> Backdoor.Rbot : Cleaned with backup
C:\HJT\backups\backup-20041020-205548-755.dll -> Adware.MidADle : Cleaned with backup
C:\xz.bat -> Trojan.KillProc.a : Cleaned with backup


::Report End



Incident Status Location

Adware:adware/gator No disinfected C:\Documents and Settings\David White\Local Settings\Temp\bundle.inf
Adware:adware/midaddle No disinfected C:\Documents and Settings\David White\Local Settings\Temp\addit.exe
Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/delfinmedia No disinfected C:\keys.ini
Adware:adware/statblaster No disinfected Windows Registry
Virus:W32/Sdbot.FMN.worm Disinfected C:\WINDOWS\SYSTEM32\yafs.exe
Spyware:Spyware/Support No disinfected C:\WINDOWS\TEMP\vault\tg\tgcmd.exe\1519616_5dbb20689_[tgcmd.exe]
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\TEMP\tracker9.exe
Spyware:Spyware/Support No disinfected C:\Program Files\Support.com\bin\tgcmd.exe
Adware:Adware/Midaddle No disinfected C:\RECYCLED\Dc169.exe
Adware:Adware/Midaddle No disinfected C:\RECYCLED\Dc174.exe
Adware:Adware/MemoryWatcher No disinfected C:\Documents and Settings\David White\Local Settings\Temp\mw.exe
Adware:Adware/Midaddle No disinfected C:\Documents and Settings\David White\Local Settings\Temp\NT7NcJgZw.dll
Adware:Adware/StatBlaster No disinfected C:\Documents and Settings\David White\Local Settings\Temp\tracker9.exe
Spyware:Spyware/Altnet No disinfected C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP293\A0015466.dll
Adware:Adware/Midaddle No disinfected C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP293\A0015467.exe
Adware:Adware/Midaddle No disinfected C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP293\A0015468.exe
Adware:Adware/Midaddle No disinfected C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP293\A0015469.dll
Virus:W32/Sdbot.FMN.worm Disinfected C:\System Volume Information\_restore{98DECC67-2A03-42F0-84BE-82F8113388DF}\RP293\A0015477.exe
Dialer:Dialer.BTL No disinfected C:\HJT\backups\backup-20041020-205548-208.inf



Logfile of HijackThis v1.99.1
Scan saved at 6:33:31 AM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\David White\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [strtas] lock1.exe
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127582841067
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Create a new System Restore point
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK

Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host


The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKCU\..\Run: [strtas] lock1.exe

Locate the following Files/Folders and delete them if they exist:

lock1.exe<<<Should be in C:\Windows\System32, if not, search for it and delete when found
C:\keys.ini


Run CleanUp again.

Restart in normal mode.

Run Panda ActiveScan once again.

Restart and run a new HijackThis scan. Save the log file and post it here.

Create a uninstall list:

  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Open Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from the notebook onto your post

Please return with results from:

Panda
HJT scan log
HJT Uninstall list
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top