Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help


  • Please log in to reply
6 replies to this topic

#1 jaygirard

jaygirard

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 08 February 2005 - 01:48 PM

Logfile of HijackThis v1.99.0
Scan saved at 12:46:31 PM, on 2/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jay Girard\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS13
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM32\gbebie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM32\gbebie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM32\gbebie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM32\gbebie.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM32\gbebie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {2556ED10-BD3B-4C20-8AEA-22678A9E86DB} - C:\WINDOWS\System32\gbebie.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/comcast/TrueInstallComcast.exe
O18 - Filter: text/html - {B4B35BBE-26EB-49E6-965B-C86EC524C716} - C:\WINDOWS\System32\gbebie.dll
O18 - Filter: text/plain - {B4B35BBE-26EB-49E6-965B-C86EC524C716} - C:\WINDOWS\System32\gbebie.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:11 AM

Posted 09 February 2005 - 02:17 PM

Hello jaygirard and welcome to BC. I am presently reviewing your log and will respond back to you as quickly as I can.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:11 AM

Posted 10 February 2005 - 10:20 AM

Hello again jaygirard. It looks like you might be having a few problems. Let's see if we can fix them.

Step # 1

To begin, click on the link below to download the CWShredder tool:

CWShredder Tool

Once downloaded, unzip it into its own directory. Start CWShredder and click on the Fix button.

Step # 2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM32\gbebie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM32\gbebie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM32\gbebie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM32\gbebie.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM32\gbebie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {2556ED10-BD3B-4C20-8AEA-22678A9E86DB} - C:\WINDOWS\System32\gbebie.dll (file missing)
O18 - Filter: text/html - {B4B35BBE-26EB-49E6-965B-C86EC524C716} - C:\WINDOWS\System32\gbebie.dll
O18 - Filter: text/plain - {B4B35BBE-26EB-49E6-965B-C86EC524C716} - C:\WINDOWS\System32\gbebie.dll


Now click the Fix Checked button to finish the repair.

Step # 3

Now follow these steps to reboot into Safe Mode and delete the offending files.

How to Start To Safe Mode Using the F8 method:

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.

We need to make sure all hidden files are showing so please:
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Find the following files/directories and delete them (don't worry if they are already gone):

C:\WINDOWS\SYSTEM32\gbebie.dll

Next, let's clean up the temporary directories:
* Click Start
* Point to Programs
* Point to Accessories
* Point to System Tools
* Click Disk Cleanup.
* Select all items shown and click the OK button.

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here as a relpy to this topic and I will review it.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 jaygirard

jaygirard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 13 February 2005 - 03:43 PM

The log does not show anything after running cw shedder that you tell me to fix. Here is my new log....


Logfile of HijackThis v1.99.0
Scan saved at 2:21:24 PM, on 2/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Documents and Settings\Jay Girard\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/comcast/TrueInstallComcast.exe
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:11 AM

Posted 14 February 2005 - 07:34 PM

Hey jaygirard. It looks like the original infection is gone but you now have a different variant. We will need a couple of additional tools for this one. Follow the steps below in order:

Step # 1

Download these tools:Symantec Removal Tool
Ad-Aware
Step # 2

Follow these directions to install and configure AdAware SE:AdAware Tutorial
Perform an update but do not run a scan with AdAware yet.

Step # 3

Double-click the FxAgentB file to run it and the program will scan your entire hard drive. This may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.

Reboot when done.

Step # 4

Run CWShredder and choose Fix as opposed to 'Scan Only'.

Step # 5

Now follow these steps to reboot into Safe Mode and show hidden files.

Start in Safe Mode Using the F8 method:* Restart the computer.
* As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press Enter.
We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Step # 6

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll,DllInstall

Now click the Fix Checked button to finish the repair.

Step # 7

Next, let's clean up the temporary directories:* Click Start
* Point to Programs
* Point to Accessories
* Point to System Tools
* Click Disk Cleanup
* Select all items shown and click the OK button.
OK. Reboot your computer normally.

Step # 8

Run a full scan with AdAware SE:Start AdAware SE.
Click Start.
Select Perform Full System scan and Next to start the scan.
When the scan is finished, the screen will tell you if anything has been found, click Next.
The bad files will be listed, right click the pane and click Select all objects.
Click Next again and click OK at the prompt "# objects will be removed. Continue?".
Step # 9

Reboot when done, rescan with HijackThis and post a new log here together with the FxAgentB log.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 jaygirard

jaygirard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 20 February 2005 - 10:36 PM

Hey jaygirard. It looks like the original infection is gone but you now have a different variant. We will need a couple of additional tools for this one. Follow the steps below in order:

Step # 1

Download these tools:Symantec Removal Tool
Ad-Aware
Step # 2

Follow these directions to install and configure AdAware SE:AdAware Tutorial
Perform an update but do not run a scan with AdAware yet.

Step # 3

Double-click the FxAgentB file to run it and the program will scan your entire hard drive. This may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.

Reboot when done.

Step # 4

Run CWShredder and choose Fix as opposed to 'Scan Only'.

Step # 5

Now follow these steps to reboot into Safe Mode and show hidden files.

Start in Safe Mode Using the F8 method:* Restart the computer.
* As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press Enter.
We need to make sure all hidden files are showing so please:* Click Start.
  * Open My Computer.
  * Select the Tools menu and click Folder Options.
  * Select the View tab.
  * Under the Hidden files and folders heading select Show hidden files and folders.
  * Uncheck the Hide protected operating system files (recommended) option.
  * Click Yes to confirm.
  * Click OK.
Step # 6

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll,DllInstall

Now click the Fix Checked button to finish the repair.

Step # 7

Next, let's clean up the temporary directories:* Click Start
* Point to Programs
* Point to Accessories
* Point to System Tools
* Click Disk Cleanup
* Select all items shown and click the OK button.
OK. Reboot your computer normally.

Step # 8

Run a full scan with AdAware SE:Start AdAware SE.
Click Start.
Select Perform Full System scan and Next to start the scan.
When the scan is finished, the screen will tell you if anything has been found, click Next.
The bad files will be listed, right click the pane and click Select all objects.
Click Next again and click OK at the prompt "# objects will be removed. Continue?".
Step # 9

Reboot when done, rescan with HijackThis and post a new log here together with the FxAgentB log.

OT :thumbsup:

Hi Old Timer:

Hey, I REALLY appreciate the advise you are giving me. I've done everything you suggested and I'm attaching a new HijackThis.log and FxAgentB.log. Please let me know what you think.

Sincerely,

JayLogfile of HijackThis v1.99.0
Scan saved at 9:11:37 PM, on 2/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\spywarevanisher-full\SpywareVanisher.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jay Girard\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll/sp.html
O2 - BHO: IE 4.x-6.x BHO - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\PROGRA~1\POPUPB~1\IEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/comcast/TrueInstallComcast.exe
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

process: winlogon.exe, thread: 000002A8 (terminated)
process: services.exe, thread: 00000308 (terminated)
process: lsass.exe, thread: 00000304 (terminated)
process: svchost.exe, thread: 000003C4 (terminated)
process: svchost.exe, thread: 00000438 (terminated)
process: svchost.exe, thread: 000004BC (terminated)
process: svchost.exe, thread: 00000568 (terminated)
process: svchost.exe, thread: 000005B4 (terminated)
process: CCSETMGR.EXE, thread: 000007A8 (terminated)
process: CCEVTMGR.EXE, thread: 000007D4 (terminated)
process: spoolsv.exe, thread: 00000144 (terminated)
process: explorer.exe, thread: 00000270 (terminated)
process: acsd.exe, thread: 000004D0 (terminated)
process: NAVAPSVC.EXE, thread: 0000054C (terminated)
process: SAVScan.exe, thread: 000005C8 (terminated)
process: symlcsvc.exe, thread: 00000664 (terminated)
process: wanmpsvc.exe, thread: 00000688 (terminated)
process: symwsc.exe, thread: 0000013C (terminated)
process: CCAPP.EXE, thread: 000005C4 (terminated)
process: TrueAssistant.exe, thread: 000004D8 (terminated)
process: PopupBeGone.exe, thread: 000008C8 (terminated)
process: alg.exe, thread: 000008F8 (terminated)
process: rundll32.exe, thread: 00000BA4 (terminated)
process: iexplore.exe, thread: 00000344 (terminated)
process: msmsgs.exe, thread: 0000041C (terminated)
process: FxAgentB[1].exe, thread: 00000300 (terminated)
process: hpohid05.exe, thread: 0000075C (terminated)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs (value set to "")

C:\WINDOWS\SYSTEM32\comci.dll: (will be deleted on next reboot)

The Backdoor.Agent.B removal was successful.
The system will delete 1 Backdoor.Agent.B files from your PC on next reboot.

Here is the report:

1 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 59248
The number of deleted files: 0
The number of viral processes terminated: 0
The number of viral threads terminated: 27
The number of registry entries fixed: 1

The tool initiated a system reboot.

Edited by jaygirard, 20 February 2005 - 10:45 PM.


#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:11 AM

Posted 21 February 2005 - 06:20 PM

Hello again jaygirard. Your log looks pretty good. There is only 1 item we need to fix. Also, it appears that the FxAgentB tool removed the infection quite nicely.

OK let's start. Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JAYGIR~1\LOCALS~1\Temp\se.dll/sp.html
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

To clean out your temp files, click on Start and then Run, and type %temp% and press the OK button.

This should open up the temp directory that your machine uses. Click the Edit menu item and then click Select All. Now click the File menu and click Delete. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Do this same process for %windir%\temp.

Now I want you to click Start then Settings then Control Panel. Double-click the Internet Options icon. At the General tab, which should be the first tab you are currently on. Click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

OK. Reboot your computer normally.

I would also like you to download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.

Now start HijackThis and perform a new scan. Post your new log file back here along with the information from above as a relpy to this topic and I will review it.

Additional information

I noticed that you are running Spyware Vanisher. You might be interested that this program is listed as a rogue product for spyware elimination. Here is a link to a site that evaluates anti-spyware applications and then reports on them: http://www.spywarewarrior.com/rogue_anti-spyware.htm. According to Spyware Warrior this product uses:

false positives work as goad to purchase; same company as SpywareBeGone


Just thought you might like to know this.

Cheers,

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users