Infected With Networm And Spyware Cyberlog-x

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Infected With Networm And Spyware Cyberlog-x, NetWorm-i.Virus@fp

Options

pocoloo View Member Profile	Feb 23 2008, 10:02 PM Post #1
Member Group: Members Posts: 17 Joined: 23-February 08 Member No.: 192,111	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:43:45 PM, on 2/23/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NetProject\scit.exe C:\Program Files\NetProject\scm.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Kiwee Toolbar2\1.2.116\kwtbaim.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\Preferred Customer\Desktop\stng380.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R3 - URLSearchHook: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.2.116\KiweeIEToolbar.dll R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: e404 helper - {2C566C34-7D72-4DC1-9BBE-1121A76698F8} - C:\PROGRAM FILES\HELPER\1203748910.DLL (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.2.116\KiweeIEToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.2.116\KiweeIEToolbar.dll O3 - Toolbar: Web Application - {81705D67-3F73-4983-859B-97D0922E5ABE} - C:\PROGRAM FILES\NETPROJECT\WAMDL.DLL O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar2\1.2.116\kwtbaim.exe" O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\RunOnce: [SpybotDeletingA6137] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk" O4 - HKLM\..\RunOnce: [SpybotDeletingC2690] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk" O4 - HKLM\..\RunOnce: [SpybotDeletingA3044] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk" O4 - HKLM\..\RunOnce: [SpybotDeletingC3576] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk" O4 - HKLM\..\RunOnce: [SpybotDeletingA173] command /c del "C:\Program Files\RegistryFix\RegistryFix.exe" O4 - HKLM\..\RunOnce: [SpybotDeletingC1180] cmd /c del "C:\Program Files\RegistryFix\RegistryFix.exe" O4 - HKLM\..\RunOnce: [SpybotDeletingA6726] command /c del "C:\Program Files\RegistryFix\unins000.exe" O4 - HKLM\..\RunOnce: [SpybotDeletingC3056] cmd /c del "C:\Program Files\RegistryFix\unins000.exe" O4 - HKLM\..\RunOnce: [SpybotDeletingA5182] command /c del "C:\Program Files\RegistryFix\logs\4-12-2007 (13-25-54).txt" O4 - HKLM\..\RunOnce: [SpybotDeletingC6557] cmd /c del "C:\Program Files\RegistryFix\logs\4-12-2007 (13-25-54).txt" O4 - HKLM\..\RunOnce: [SpybotDeletingA6254] command /c del "C:\Program Files\RegistryFix\RegistryFixBackup\12,4,2007_13,28,15.zip" O4 - HKLM\..\RunOnce: [SpybotDeletingC8249] cmd /c del "C:\Program Files\RegistryFix\RegistryFixBackup\12,4,2007_13,28,15.zip" O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB7748] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk" O4 - HKCU\..\RunOnce: [SpybotDeletingD5333] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk" O4 - HKCU\..\RunOnce: [SpybotDeletingB1757] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk" O4 - HKCU\..\RunOnce: [SpybotDeletingD8847] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk" O4 - HKCU\..\RunOnce: [SpybotDeletingB877] command /c del "C:\Program Files\RegistryFix\RegistryFix.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD7464] cmd /c del "C:\Program Files\RegistryFix\RegistryFix.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingB9882] command /c del "C:\Program Files\RegistryFix\unins000.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD9388] cmd /c del "C:\Program Files\RegistryFix\unins000.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingB4954] command /c del "C:\Program Files\RegistryFix\logs\4-12-2007 (13-25-54).txt" O4 - HKCU\..\RunOnce: [SpybotDeletingD5972] cmd /c del "C:\Program Files\RegistryFix\logs\4-12-2007 (13-25-54).txt" O4 - HKCU\..\RunOnce: [SpybotDeletingB8773] command /c del "C:\Program Files\RegistryFix\RegistryFixBackup\12,4,2007_13,28,15.zip" O4 - HKCU\..\RunOnce: [SpybotDeletingD8991] cmd /c del "C:\Program Files\RegistryFix\RegistryFixBackup\12,4,2007_13,28,15.zip" O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/down...llerControl.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194025852372 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: djuka - {ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c} - C:\WINDOWS\SYSTEM32\WBCHHA.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 13071 bytes Before I followed the instructions the computer kept trying to change my home page. That has now stopped and since I started this message the pop up in the yellow triangle at the bottom tool bar has disappeared. The message said Networm-.Virus@fp virus/network need certified anti virus software. A message coming up as Critical it says Infected with latest version of Spyware, CyberLog-x. Infection lenght 266,129 bytes. It is also prompting me to download an anti spyware software. Windows live safety centre is also telling me to a scan with the message TOP THREATS Win 32/sober@mm ie Exploit Win32/mytob ie Exploit Win32/Netsky ie Exploit Thank you guys so much for me helping me with this.

don77 View Member Profile	Mar 14 2008, 05:40 PM Post #2
Forum Regular Group: HJT Team Posts: 3,212 Joined: 12-July 04 From: Boston Mass Member No.: 1,374	Hello pocoloo Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up. If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine. Thanks and again sorry for the delay. Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Next Please do an online scan with Kaspersky WebScanner Click on Accept Button You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post.

don77 View Member Profile	Mar 17 2008, 05:57 PM Post #4
Forum Regular Group: HJT Team Posts: 3,212 Joined: 12-July 04 From: Boston Mass Member No.: 1,374	I need to see the main txt Lets do some cleaning up as well Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only) Double-click ATF-Cleaner.exe to run the program. Under Main "Select Files to Delete" choose: Select All. Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Next Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop. Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications". Click the "Download" button to the right. Select your Platform: "Windows". Select your Language: "English". Read the License Agreement, and then check the box that says: "Accept License Agreement". Click Continue and the page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version. Next Post back the main txt from DSS please

don77 View Member Profile	Mar 18 2008, 10:20 AM Post #6
Forum Regular Group: HJT Team Posts: 3,212 Joined: 12-July 04 From: Boston Mass Member No.: 1,374	We have a bunch of infected restore points we need to clean out but a couple more things to do before we get there First I would like to see what this file is about Please go to Jotti's malware scan Copy and paste the following file path C:\WINDOWS\system32\LVNetWait.dll into the box on the top of the page: Click on the submit button Please post the results in your next reply.

pocoloo View Member Profile	Mar 18 2008, 03:31 PM Post #7
Member Group: Members Posts: 17 Joined: 23-February 08 Member No.: 192,111	Scanner results Scan taken on 18 Mar 2008 20:28:36 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Rising Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing Last file scanned at least one scanner reported something about: CloneDVD2Keygen.exe (MD5: 0ca442640a02d5b64d803694e433f0ec, size: 78225 bytes), detected by: Scanner Malware name A-Squared X AntiVir X ArcaVir Trojan.Downloader.Small.Cyn Avast X AVG Antivirus X BitDefender X ClamAV X CPsecure W32.Email.W.Bagle.of Dr.Web X F-Prot Antivirus X F-Secure Anti-Virus X Fortinet PossibleThreat Ikarus X Kaspersky Anti-Virus X NOD32 X Norman Virus Control X Panda Antivirus X Rising Antivirus X Sophos Antivirus Mal/Packer VirusBuster X VBA32 X

don77 View Member Profile	Mar 18 2008, 09:46 PM Post #8
Forum Regular Group: HJT Team Posts: 3,212 Joined: 12-July 04 From: Boston Mass Member No.: 1,374	Ok that came back clean Lets finish cleaning up the last bits we have Reboot into SAFE MODE Search for and delete the Folder below C:\Documents and Settings\All Users\Application Data\Trymedia Reboot back to normal mode Next Now you should Set a New Restore Point *to prevent possible reinfection* from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: Go to Start > Programs > Accessories > System Tools and click "System Restore". Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Then go to Start > Run and type: Cleanmgr Click "OK". Click the "More Options" Tab. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. Next** Rescan with Kaspersky post back the log and let me know how the machine is running

pocoloo View Member Profile	Mar 19 2008, 02:09 PM Post #9
Member Group: Members Posts: 17 Joined: 23-February 08 Member No.: 192,111	------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, March 19, 2008 3:08:29 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 19/03/2008 Kaspersky Anti-Virus database records: 640187 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 33874 Number of viruses found: 3 Number of infected objects: 7 Number of suspicious objects: 0 Duration of the scan process: 00:47:33 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-19_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped C:\Documents and Settings\All Users\Desktop\Downloads\BoggleSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.d skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Preferred Customer\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped C:\Documents and Settings\Preferred Customer\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped C:\Documents and Settings\Preferred Customer\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Preferred Customer\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Preferred Customer\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Preferred Customer\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Preferred Customer\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\Documents and Settings\Preferred Customer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Preferred Customer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Preferred Customer\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Preferred Customer\Local Settings\History\History.IE5\MSHist012008031920080320\index.dat Object is locked skipped C:\Documents and Settings\Preferred Customer\Local Settings\Temp\~DF45C5.tmp Object is locked skipped C:\Documents and Settings\Preferred Customer\Local Settings\Temp\~DF871B.tmp Object is locked skipped C:\Documents and Settings\Preferred Customer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Preferred Customer\Local Settings\Temporary Internet Files\Content.IE5\J79RV1SG\installadcleaner[1].cab/UADC_0001_D10M0210.exe Infected: not-a-virus:Downloader.Win32.AdvancedCleaner.c skipped C:\Documents and Settings\Preferred Customer\Local Settings\Temporary Internet Files\Content.IE5\J79RV1SG\installadcleaner[1].cab CAB: infected - 1 skipped C:\Documents and Settings\Preferred Customer\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Preferred Customer\NTUSER.DAT.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped C:\Program Files\Norton AntiVirus\Savrt\0097NAV~.TMP Object is locked skipped C:\Program Files\Norton AntiVirus\Savrt\0760NAV~.TMP Object is locked skipped C:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped C:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{32B47D5C-C13B-4968-9906-E14CF7889766}\RP438\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

don77 View Member Profile	Mar 19 2008, 03:37 PM Post #10
Forum Regular Group: HJT Team Posts: 3,212 Joined: 12-July 04 From: Boston Mass Member No.: 1,374	Much better Some more junk in your temp files go ahead and run ATF again and that will clean those out C:\Documents and Settings\All Users\Desktop\Downloads\BoggleSetup-dm[1].exe Delete that from your desk top C:\Documents and Settings\Preferred Customer\Desktop\SmitfraudFix remove smitfraudfix from your desk top as well. Aside from that everything looks good how is the machine behaving ?

pocoloo View Member Profile	Mar 19 2008, 06:23 PM Post #11
Member Group: Members Posts: 17 Joined: 23-February 08 Member No.: 192,111	Everything seem to be working great so far. Thank you very much for your assistance! It was greatly appreciated.

don77 View Member Profile	Mar 19 2008, 07:04 PM Post #12
Forum Regular Group: HJT Team Posts: 3,212 Joined: 12-July 04 From: Boston Mass Member No.: 1,374	Great to hear your very welcome For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements. Please also have a look at the following links, giving some advice and suggestions for preventing future infections: So How did I get infected? Microsoft - 'Security at home' Miekies' prevention suggestions Now you should Set a New Restore Point *to prevent possible reinfection* from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: Go to Start > Programs > Accessories > System Tools and click "System Restore". Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Then go to Start > Run and type: Cleanmgr Click "OK". Click the "More Options" Tab. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. I recommend you regularly visit the Windows Update Site , you where lagging behind on a few of them! Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating. By updating your machine, you have one less headache! Update ALL Critical updates and any other Windows updates for services/programs that you use. If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates. Note that it will download them for you, but you still have to actually click install. If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com. It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates. Another recommend, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps: Double-click the Downloaded installer and install the tool to a location of your choice Via the Startmenu, navigate to HostsMan and run the program. Click "Hosts" in the menu Click "Manage Updates" in the submenu Out of the three, select atleast one of the three (I have MVPS Host as my main one) Click "Add Update*." After that you will only need to click on the following button to retrieve updates: Click the X to exit the program. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.* Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there: Simple and easy ways to keep your computer safe and secure on the Internet Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

don77 View Member Profile	Mar 22 2008, 11:23 AM Post #13
Forum Regular Group: HJT Team Posts: 3,212 Joined: 12-July 04 From: Boston Mass Member No.: 1,374	This thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 4th July 2009 - 11:28 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive