Tech Support banner

Status
Not open for further replies.
1 - 13 of 13 Posts

·
Registered
Joined
·
30 Posts
Discussion Starter · #1 ·
Windows XP Pro
Fast P4 Computer
and Fast Cable Internet Connection

I removed SpySheriff, Java_Bytever.a, Java_Bytever.ac, shut off system restore, ran an online and internet av/trojan removers, edited my registry, applied a patch to restore my desktop, cleaned the java cash, ran spyware removers, reinstlled and ran Norton Utilities - and did every thing I could think of. In short,I have been working for many hours to recover from this crap. The only visible reminent is that my norton-protected trash bin displays no icon.

Please would an expert check the Hijackthis log to see if anything remains that I need to remove or do. Thank you.

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
E:\Program Files\Belkin Bulldog Plus\upsd.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Documents and Settings\Les Davis\Desktop\Utilities\Ad Spy Cleaners\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optonline.net/Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - E:\WINDOWS\System32\appwiz.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\XPPRO2~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://E:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwda.ops.placeware.com/etc/place/DESK/VADpws-a3s/5.1.8.511/lib/quicksilver.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12931276f68eca3c2700/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120294616281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - E:\WINDOWS\System32\ibfllhgc.dll
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - E:\WINDOWS\System32\iidndajj.dll
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - E:\WINDOWS\System32\jipmpppm.dll
O21 - SSODL: SysTray.Exrn - {4368ECFC-4F5C-4f3b-B934-D67494FC78E0} - E:\WINDOWS\System32\kdcnngdc.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Unknown owner - (no file)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - E:\Program Files\Belkin Bulldog Plus\upsd.exe
 

·
Administrator
Joined
·
4,870 Posts
Hello and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If necessary, please ask any questions before proceeding with the procedures below.
_________________________________________________

You have not included the header part of your log results. This contains inmportant information so please include it in the next pass.
_________________________________________________

Download Host.zip Extract the file and overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host
_________________________________________________

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
  • O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - E:\WINDOWS\System32\appwiz.dll
    O8 - Extra context menu item: Open Image in New Window - res://E:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
    O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - E:\WINDOWS\System32\ibfllhgc.dll
    O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - E:\WINDOWS\System32\iidndajj.dll
    O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - E:\WINDOWS\System32\jipmpppm.dll
    O21 - SSODL: SysTray.Exrn - {4368ECFC-4F5C-4f3b-B934-D67494FC78E0} - E:\WINDOWS\System32\kdcnngdc.dll
_________________________________________________

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).
_________________________________________________

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools > Folder Options > View tab.
  • Check - Show hidden files and folder
  • Uncheck - Hide file extensions for known types
  • Uncheck - Hide protected operating system files

Click Yes to confirm and then click OK
_________________________________________________

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
  • E:\WINDOWS\System32\appwiz.dll
    E:\WINDOWS\System32\ibfllhgc.dll
    E:\WINDOWS\System32\jipmpppm.dll
    E:\WINDOWS\System32\kdcnngdc.dll
_________________________________________________

Reboot your system in normal Mode.
_________________________________________________

Please do an online scan at Panda ActiveScan.

Use the free to use active scan link in the right hand corner.

  1. Click on the Scan your PC button & a pop up window shall appear. *Ensure that your pop up blocker doesn't block it*
  2. Click On Next
  3. Enter your e-mail address & click Send. *It will begin downloading Panda's ActiveX controls which are about 8MB in size*
  4. In the next window, & checkmark the following:
    • Disinfect automatically
    • Scan compressed files
    • Scan e-mail files
    • Detect unknown viruses (Heuristic)
    • Detect spyware

  5. Begin the scan by selecting All My Computer

    You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.

  6. If it finds any malware, it will offer you a report. Click on See report
  7. Then click Save report
_________________________________________________

Paste the results of the Panda Scan here together with a new HiJack This log.
 

·
Registered
Joined
·
30 Posts
Discussion Starter · #4 ·
I cleaned and removed jbfllhgc.dll, iidndajj.dll, jipmpppm.dll, kdcnngdc.dll, appwiz.dll.

Then I cleaned and removed everything listed on the Panda scanlist (below) except powerstrip, which I could not find in the registry.

Here is the Activescan log before I removed the listed items:
Incident Status Location

Virus:Trj/Downloader.FWW Disinfected Operating system
Adware:adware/cws.searchmeup No disinfected E:\WINDOWS\SYSTEM32\paytime.exe
Adware:adware/antivirus-gold No disinfected E:\WINDOWS\desktop.html
Adware:adware/secure32 No disinfected E:\WINDOWS\secure32.html
Adware:adware/isearch No disinfected E:\WINDOWS\tool2.exe
Adware:adware/cws No disinfected E:\Documents and Settings\Les Davis\Favorites\Going Places
Adware:adware/powerstrip No disinfected Windows Registry
Hacktool:HackTool/CrackSearch.ANo disinfected C:\Documents and Settings\Les.LESP4\Desktop\CrackSearcher.exe
Possible Virus. No disinfected C:\Program Files\Archive\archive.exe
Adware:Adware/SpySheriff No disinfected C:\Program Files\SpySheriff\heur000.dll
Adware:Adware/SpySheriff No disinfected C:\Program Files\SpySheriff\heur001.dll
Adware:Adware/SpySheriff No disinfected C:\Program Files\SpySheriff\heur002.dll
Adware:Adware/SpySheriff No disinfected C:\Program Files\SpySheriff\heur003.dll
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\IESecurity.dll
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\ProcMon.dll
Adware:Adware/SpySheriff No disinfected C:\Program Files\SpySheriff\Uninstall.exe
Adware:Adware/Secure32 No disinfected C:\secure32.html

-----------------------------------------------------------------------

This is the HJ log after I removed everything:
Logfile of HijackThis v1.99.1
Scan saved at 7:33:06 PM, on 10/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
E:\Program Files\Belkin Bulldog Plus\upsd.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
E:\WINDOWS\System32\wuauclt.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Documents and Settings\Les Davis\Desktop\Utilities\Ad Spy Cleaners\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optonline.net/Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = e:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\RunOnce: [Panda_cleaner_219990] E:\WINDOWS\System32\ActiveScan\pavdr.exe 219990
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\XPPRO2~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwda.ops.placeware.com/etc/place/DESK/VADpws-a3s/5.1.8.511/lib/quicksilver.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12931276f68eca3c2700/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120294616281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Unknown owner - (no file)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - E:\Program Files\Belkin Bulldog Plus\upsd.exe


My computer is running fast now. Did I miss anything?

Thank you for your help. :)
 

·
Administrator
Joined
·
4,870 Posts
Hi Victor

Nearly done now. I am just going to run some tools to get rid of the last remnants left in the registry.

Download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite

Please read Ewido Setup Instructions, install the program, and update the definitions to the newest files. Do NOT run a scan yet.

Reboot your system in SafeMode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, e.g. Local Disk C or partition where your operating system is installed. Please post that log along with the others requested in your next reply.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Reboot your system in Normal Mode and do another Panda Scan.

Post the Smitrem log, Ewido log and Panda log together with a fresh HJT log in your next reply.
 

·
Registered
Joined
·
30 Posts
Discussion Starter · #6 ·
Thank you so much for your help. I will follow your advice as soon as I finish this and post the logs afterwards.

FYI I just removed:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.ht m
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = e:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.ht m

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1293127...ip/RdxIE601.cab

Someone told me to install SpywareBlaster. What do you think of it?

Here is my most recent HJ log:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:46 PM, on 11/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
E:\Program Files\Belkin Bulldog Plus\upsd.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Documents and Settings\Les Davis\Desktop\Utilities\Ad Spy

Cleaners\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://optonline.net/Home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

e:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

e:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910}

- D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program

files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O8 - Extra context menu item: &Download with &DAP -

E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://e:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program

files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program

files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF -

res://D:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -

res://D:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://D:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -

res://D:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -

res://D:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -

res://D:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP -

E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://D:\PROGRA~1\MICROS~3\XPPRO2~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program

files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) -

https://vapwda.ops.placeware.com/etc/place/DESK/VADpws-a3s/5.1.8.511/lib/quic

ksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_s

ite.cab?1120294616281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housec

all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -

http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program

Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Unknown owner - (no file)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec

Corporation - E:\Program Files\Norton SystemWorks\Norton

Utilities\NPROTECT.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro

Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -

E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program

Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro

Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. -

D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -

D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - E:\Program

Files\Belkin Bulldog Plus\upsd.exe
 

·
Registered
Joined
·
30 Posts
Discussion Starter · #7 ·
I noticed that the following item was not removed, so I deleted it again and now it is gone: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

e:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.ht m

Thanks again :)
 

·
Registered
Joined
·
30 Posts
Discussion Starter · #8 · (Edited)
Here are the logs from running Ewido Security Suite, SmitRem.exe, Panda Viruscan and then HijackThis. Please let me know what still needs to be removed. Thank you.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:10:34 PM, 11/1/2005
+ Report-Checksum: 14FC3251

+ Scan result:

HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Ignored
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Ignored
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Ignored
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Ignored
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Ignored
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Ignored
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Bfast : Ignored
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Ignored
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Adtech : Ignored
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Ignored
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Ignored
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Qksrv : Ignored
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Ignored
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Tribalfusion : Ignored
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstbeacon : Ignored
E:\WINDOWS\hosts -> Trojan.Qhost.el : Ignored
E:\WINDOWS\ms1.exe -> TrojanDownloader.Small.buh : Ignored
E:\WINDOWS\system32\hiinhceh.exe -> TrojanDropper.Small.afo : Ignored
E:\WINDOWS\system32\ieibccba.exe -> TrojanDropper.Small.aib : Ignored
E:\WINDOWS\system32\ikldonpf.exe -> TrojanDropper.Small.aib : Ignored
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Cleaned with backup
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Cleaned with backup
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAA356E4-D317-42A6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.s : Cleaned with backup
D:\Documents and Settings\Les\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
D:\Documents and Settings\Les\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
D:\Documents and Settings\Les\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
D:\Documents and Settings\Les\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\Documents and Settings\Les\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.I12 : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
E:\Documents and Settings\Les Davis\Cookies\les [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
E:\Documents and Settings\Les Davis\Desktop\Utilities\Ad Spy Cleaners\backups\backup-20051031-180426-992.dll -> TrojanSpy.Goldun.dw : Cleaned with backup
E:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> TrojanSpy.Small.dg : Cleaned with backup
E:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> TrojanSpy.Small.dg : Cleaned with backup
E:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> TrojanSpy.Small.dg : Cleaned with backup
E:\WINDOWS\kl.exe -> TrojanSpy.Agent.bu : Cleaned with backup
E:\WINDOWS\system32\countrydial.exe -> Dialer.Generic : Cleaned with backup
H:\Program Files\Download\Utilities\CrackSearcher.exe -> Not-A-Virus.HackTool.CrackSearch.a : Cleaned with backup
I:\Download\Utilities\CrackSearcher.exe -> Not-A-Virus.HackTool.CrackSearch.a : Cleaned with backup


::Report End


smitRem © log file
version 2.7

by noahdfear

The current date is: Tue 11/01/2005
The current time is: 14:13:51.90

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)
------------------------------------------------------------

Activescan Log:

Incident Status Location

Adware:adware/cws.searchmeup No disinfected E:\WINDOWS\ms1.exe
Adware:adware/cws No disinfected E:\Documents and Settings\Les Davis\Favorites\Living
Hacktool:HackTool/EvID No disinfected E:\Documents and Settings\Les Davis\Desktop\EvID4226Patch223d-en.zip[EvID4226Patch.exe]
Virus:Trj/MultiDropper.AZD Disinfected E:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI
Virus:Trj/Dropper.NT Disinfected E:\WINDOWS\system32\hiinhceh.exe
Hacktool:HackTool/CrackSearch.ANo disinfected I:\System Volume Information\_restore{7DF3CBA1-8626-4B8B-9C22-96D142DE01D7}\RP3\A0000456.exe
-----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:39:22 PM, on 11/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
E:\Program Files\Belkin Bulldog Plus\upsd.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Les Davis\Desktop\Utilities\Ad Spy Cleaners\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optonline.net/Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\XPPRO2~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwda.ops.placeware.com/etc/place/DESK/VADpws-a3s/5.1.8.511/lib/quicksilver.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Unknown owner - (no file)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - E:\Program Files\Belkin Bulldog Plus\upsd.exe
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode and proceed with the rest of the fix.

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

E:\Documents and Settings\Les Davis\Favorites\Living <--delete that folder

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click YES

E:\WINDOWS\ms1.exe

Once you reboot...run another Panda scan and post it's log along with the Ewido log.
 

·
Registered
Joined
·
30 Posts
Discussion Starter · #10 ·
I did what you suggested and here are the logs of some of the things that I did. Thank you so much for your help!

BTW: Its amazing that AVG Pro found and removed 5 trojans that Panda and PC_Cillian missed.

Here is the AVG log:

"","","Trojan horse Downloader.Generic.HTH","E:\WINDOWS\ms1.exe","11/2/2005 3:27:03 AM","ms1.exe","3 KB"
"","","Trojan horse Collected.Z","E:\WINDOWS\tool3.exe","11/2/2005 3:27:03 AM","tool3.exe","1024 bytes"
"","","Trojan horse Collected.Z","E:\WINDOWS\tool4.exe","11/2/2005 3:27:03 AM","tool4.exe","1024 bytes"
"","","Trojan horse Collected.Z","E:\WINDOWS\tool5.exe","11/2/2005 3:27:03 AM","tool5.exe","1024 bytes"
"","","Trojan horse Dropper.Generic.BFK","E:\WINDOWS\system32\ikldonpf.exe","11/2/2005 3:27:04 AM","ikldonpf.exe","22.5 KB"


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:41:30 PM, 11/2/2005
+ Report-Checksum: 212706A8

+ Scan result:

HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-436374069-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Les.LESP4\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
I:\System Volume Information\_restore{7DF3CBA1-8626-4B8B-9C22-96D142DE01D7}\RP3\A0000456.exe -> Not-A-Virus.HackTool.CrackSearch.a : Cleaned with backup

::Report End
--------------------------------------------------------------------------
Active Scan

Incident Status Location

Adware:adware/cws No disinfected E:\Documents and Settings\Les Davis\Favorites\Living --------------------------------------------------------------------------
Note I removed the living folder after the scan.
--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:53:17 AM, on 11/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
E:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
E:\Program Files\Belkin Bulldog Plus\upsd.exe
E:\WINDOWS\System32\wwSecure.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optonline.net/Home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://optonline.net/Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - E:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Links with IDM - E:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - E:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\XPPRO2~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwda.ops.placeware.com/etc/place/DESK/VADpws-a3s/5.1.8.511/lib/quicksilver.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O20 - Winlogon Notify: WRNotifier - E:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Unknown owner - (no file)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - E:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - E:\WINDOWS\System32\wwSecure.exe
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below.


Reset hidden/system files and folders

Windows XP
===============

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Windows 2000
===============

  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Select the Advanced settings box option.
  • Select the Hidden files Folders.
  • Deselect the Show all files option.
  • Click Yes to confirm.
  • Click OK.

Windows ME
===============

  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Windows 95/98/98SE
===============

  • Open My Computer.
  • Select the View
  • Select the Folder Options option.
  • Select the View tab. option.
  • Select the Advance Advanced settings box option.
  • Select the Hidden files folder.
  • Deselect the Show all files option
  • Click Apply to confirm.
  • Click OK.



Create a new System Restore point

Windows XP
===============

  • Click Start >> Run - type SYSDM.CPL & press Enter
  • Select the System Restore Tab
  • Tick on the checkbox - "Turn off System Restore on all drives"
  • Click Apply
  • Then untick the same checkbox & click OK
  • This deletes ALL restore points that had the infection and creates a clean one

Windows ME
===============

  • Click the Start tab.
  • Select the Settings option.
  • Select the Control Panel option.
  • Double Click the System icon Performance tab option.
  • Select File System
  • Select the Troubleshooting tab
  • Check the Disable System Restore box
  • Click Apply to confirm.
  • Click OK.

Reboot the PC and repeat the above procedure again
When you get to this option
  • Uncheck the Disable System Restore box

For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.

  • Click the Start button.
  • Point to Programs, point to Accessories, point to System Tools, and then click System Restore.
  • Choose Create a restore point, and then click Next.
  • In the Restore point description box, type a name for your restore point, and then click Next.
    Click OK



Enable Windows Auto Update
  • Go to Start>Run - type wuaucpl.cpl
  • Tick on the checkbox - "Keep my computer up to date"
  • Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.


Recommended Protection Programs

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
  • WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here are 4 free ones available for personal use:


In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use:




In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place.

Please respond to this thread one more time so we can mark this thread as resolved.
 

·
Registered
Joined
·
30 Posts
Discussion Starter · #12 ·
I still have these issues:

1. I no longer get the welcome or goodbye music on bootup or shutdown(windows XP Pro).

2. My Norton Protected waste basket no longer has the normal trash-basket an icon. I did reinstall Norton Utilities 2003 but that did not restore it.

3. I keep getting found new hardware notice for a raid controller that I am not using. I am using the controller but not in raid and it works without this driver. If I install it, I only get a question mark. When I delete it as I have, it keeps prompting me to install.

4. I do have a problem with windows update. I had uninstalled SP2 because it reduces download speed severely by reducing simultanious connections on P-2-p downloads. Now I have not installed recent updates to sp1 as a result. Any solution?

5. I do have AVG Pro AV and Trend Micro PC-Cillian (AV and Firewall) installed. PC-Cillian let in a lot of viruses, trojans, etc so I just installed AVG. They both coexist nicely.


Thank you so much for your outstanding knowlege and help!!!! :)
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
1. Click start...control panel...sounds and audio devices. Open the sounds tab..scroll down to the Exit windows and Start Windows. See if the WAV files associated with them are listed. If not..select them in the drop down list.

2. Right click the trash can..and check the properties of the icon. You may need to change to icons path to the one for norton.

3. That's a hardware issue. Ask about it in the hardware section...but it's likely Windows is seeing it as new hardware.

4. If your NOT going to use SP2..then make sure SP1 is fully patched. I can't remeber were I saw it...but theres a 3rd party patch (called SP2Connect or something) that increase the amount of P2P connections allowed.

You may get better answers in the XP forum...as none of these are malware related.
 
1 - 13 of 13 Posts
Status
Not open for further replies.
Top