Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lost control of home page


  • Please log in to reply
3 replies to this topic

#1 silverfox

silverfox

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 23 July 2005 - 08:01 AM

I've been directed to your site for HELP with my hijacked system. Below is my log:
Logfile of HijackThis v1.99.1
Scan saved at 8:42:13 AM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\addbo32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\RUTH\My Documents\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bqkuv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqkuv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bqkuv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bqkuv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqkuv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bqkuv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bqkuv.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {994EAEDC-92B3-674C-EDD3-1C0AF1A726C5} - C:\WINDOWS\ntxz.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [addbo32.exe] C:\WINDOWS\system32\addbo32.exe
O4 - HKLM\..\RunOnce: [iezr32.exe] C:\WINDOWS\system32\iezr32.exe
O4 - HKLM\..\RunOnce: [apigv32.exe] C:\WINDOWS\apigv32.exe
O4 - HKLM\..\RunOnce: [crxa32.exe] C:\WINDOWS\crxa32.exe
O4 - HKLM\..\RunOnce: [mfchj.exe] C:\WINDOWS\mfchj.exe
O4 - HKLM\..\RunOnce: [ntxz.exe] C:\WINDOWS\ntxz.exe
O4 - HKLM\..\RunOnce: [javafk.exe] C:\WINDOWS\system32\javafk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096041050109
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.blackphotocentre.com/activex/PCAXSetup.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{05A976FF-D70B-4C04-98F8-A33D4045E031}: NameServer = 206.47.244.102 209.226.175.141
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\iezr32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Please advise next steps... Thanks!

BC AdBot (Login to Remove)

 


m

#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:33 AM

Posted 24 July 2005 - 05:30 AM

Welcome silverfox to Bleeping Computer.

Please download and install these programs - don't run them yet!!

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box. Don't run it yet.

***

Please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Download and unzip cwsserviceremove to your desktop. use either link below:
http://computercops.biz/modules.php?name=F...ownload&id=3002
http://www.mytechsupport.ca/helpwithpcs/up...rviceremove.zip

***

Download http://cwshredder.net/bin/CWShredder.exe

***

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untickf "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:

Important Step
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Network Security Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you dont find this service listed go ahead with the next steps.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

C:\WINDOWS\system32\addbo32.exe

If you find the file, click on it, and then click End Process => Exit the Task Manager.

***

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bqkuv.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqkuv.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bqkuv.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bqkuv.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqkuv.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bqkuv.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bqkuv.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {994EAEDC-92B3-674C-EDD3-1C0AF1A726C5} - C:\WINDOWS\ntxz.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [addbo32.exe] C:\WINDOWS\system32\addbo32.exe

O4 - HKLM\..\RunOnce: [iezr32.exe] C:\WINDOWS\system32\iezr32.exe

O4 - HKLM\..\RunOnce: [apigv32.exe] C:\WINDOWS\apigv32.exe

O4 - HKLM\..\RunOnce: [crxa32.exe] C:\WINDOWS\crxa32.exe

O4 - HKLM\..\RunOnce: [mfchj.exe] C:\WINDOWS\mfchj.exe

O4 - HKLM\..\RunOnce: [ntxz.exe] C:\WINDOWS\ntxz.exe

O4 - HKLM\..\RunOnce: [javafk.exe] C:\WINDOWS\system32\javafk.exe

O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\iezr32.exe" /s (file missing)

***

Delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\system32\addbo32.exe
C:\WINDOWS\system32\iezr32.exe
C:\WINDOWS\apigv32.exe
C:\WINDOWS\crxa32.exe
C:\WINDOWS\mfchj.exe
C:\WINDOWS\ntxz.exe
C:\WINDOWS\system32\javafk.exe

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

***

Run AboutBuster. This will scan your computer for the bad files and delete them.
Please run About:Buster:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end. If it comes back with results, rerun it till it comes back clean.

Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

***

Scan with AdAware and let it remove any bad files found.

***

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

***

Double click on the cwsserviceremove and when asked to merge say yes.

***

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

***

Reboot into normal mode.

***

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.

***

Download and run this online virus scan:
Panda ActiveScan
make sure it's set to scan the entire disk and check it's set to autoclean or clear.
When it's done, save the results for me.

***

then reboot to normal mode
Post back in this topic with a fresh Hijack This log to see how we did.
Also post me the About:Buster log and the Panda log.


Posted Image
Life is what happens while you're making other plans

#3 silverfox

silverfox
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 24 July 2005 - 03:16 PM

Thanks for your instructions, I appreciate your help. What a horrible mess this thing is... I've now spent eight hours of my precious time away from family and weekend events trying to undo this stupid and malicious attack on my privacy (venting)!!

Most everything ran smoothly, except I ran About:Buster seven additional times and each time it came back with one or two streams to be removed, although the files appeared to be clean. I have attached the AB log file and Panda log after the HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 3:59:02 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\RUTH\My Documents\HiJackThis\hijackthis\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096041050109
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.blackphotocentre.com/activex/PCAXSetup.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{05A976FF-D70B-4C04-98F8-A33D4045E031}: NameServer = 206.47.244.102 209.226.175.141
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

++++++++++++++++++++++++++++++++++++++++++++++++++++
AB Log:
AboutBuster 5.0 reference file 31
Scan started on [7/24/2005] at [2:13:42 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:cnfhc
------------------------------------------------
Removed File! : C:\Windows\bhwko.dat
Removed File! : C:\Windows\ccibt.dll
Removed File! : C:\Windows\cqjqt.dll
Removed File! : C:\Windows\cyhcc.dll
Removed File! : C:\Windows\mqkck.dll
Removed File! : C:\Windows\ujxdj.dll
Removed File! : C:\Windows\vtxwz.dll
Removed File! : C:\Windows\System32\ffnbb.dll
Removed File! : C:\Windows\System32\yjhid.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:15:11 PM


AboutBuster 5.0 reference file 31
Scan started on [7/24/2005] at [2:18:12 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:dcfmc
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:19:53 PM


AboutBuster 5.0 reference file 31
Scan started on [7/24/2005] at [2:20:05 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:dctmu
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:20:43 PM


AboutBuster 5.0 reference file 31
Scan started on [7/24/2005] at [2:20:58 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:dczyu
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:21:41 PM


AboutBuster 5.0 reference file 31
Scan started on [7/24/2005] at [2:22:13 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:dfyyhy
Removed Stream! C:\WINDOWS\_default.pif:dgvlz
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:22:50 PM


AboutBuster 5.0 reference file 31
Scan started on [7/24/2005] at [2:23:01 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:dkavvv
Removed Stream! C:\WINDOWS\_default.pif:dtgly
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:23:39 PM


AboutBuster 5.0 reference file 31
Scan started on [7/24/2005] at [2:24:13 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:ebymey
Removed Stream! C:\WINDOWS\_default.pif:edyji
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:24:52 PM


AboutBuster 5.0 reference file 31
Scan started on [7/24/2005] at [2:26:36 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:ehiaoc
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:28:17 PM

+++++++++++++++++++++++++++++++++++++++++++++++++++
ACTIVE SCAN LOG:

Incident Status Location

Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\RUTH\FAVORITES\SITES ABOUT\Ab scissor.url
Adware:adware/mywebsearch No disinfected C:\WINDOWS\SYSTEM32\f3PSSavr.scr
Adware:adware/funweb No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OFFICE\OUTLOOK\ADDINS\MYWEBSEARCH.OUTLOOKADDIN
Adware:adware/midaddle No disinfected HKEY_CLASSES_ROOT\CLSID\{C8CDF86E-4E1F-F9B6-47DB-7B0058A0E715}
Adware:adware/myway No disinfected HKEY_LOCAL_MACHINE\software\classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Adware:Adware/Spywad No disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-e1df023-45a96491.class
Adware:Adware/CWS No disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-65b432d-32b2d0b7.class
Adware:Adware/CWS No disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-7c728-62f437e6.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2673146d-50df1660.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-72e4c24d.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-72e4c24d.zip[VBUG.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-72e4c24d.zip[Dummy.class]
Adware:Adware/Startpage.JU No disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-72e4c24d.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-3417341a.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-7f3798a6.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-544d1b10-332a0471.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1a59f252-66711c41.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-5ee8b393-42d86df1.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-816d55-107fc47c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-1308371c-77255f41.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv109.jar-85e11de-502bcec5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv109.jar-85e11de-502bcec5.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv204.jar-5e1758fa-72f50157.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv204.jar-5e1758fa-72f50157.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv248.jar-6523197a-436e5ee4.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv248.jar-6523197a-436e5ee4.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv265.jar-68628435-4f9e052b.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv265.jar-68628435-4f9e052b.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv307.jar-1327dabe-2b4b0760.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv314.jar-14b26cda-4efe0679.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv342.jar-19b4c7b5-73f8bb58.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv342.jar-19b4c7b5-73f8bb58.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv428.jar-3343c78f-2cc911a5.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv428.jar-3343c78f-2cc911a5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv465.jar-7f9cb304-657d12d9.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv465.jar-7f9cb304-657d12d9.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv519.jar-668341b2-22698f3c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv519.jar-668341b2-22698f3c.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv54.jar-23cf3853-69e485b1.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv54.jar-23cf3853-69e485b1.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv551.jar-6ce5e826-620f7799.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv551.jar-6ce5e826-620f7799.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv556.jar-6d2c5dab-7fd2ec15.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv556.jar-6d2c5dab-7fd2ec15.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv611.jar-122156ba-19e61268.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv611.jar-122156ba-19e61268.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderms.jar-108db11d-29c849b3.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderms.jar-108db11d-29c849b3.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-25810a4e-149e585c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-25810a4e-4075199f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-25810a4e-43cfab24.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-25810a4e-49509789.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\RUTH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-25810a4e-499f43b9.zip[Dummy.class]
Adware:Adware/FunWeb No disinfected C:\WINDOWS\system32\f3PSSavr.scr
+++++++++++++++++++++++++++++++++++++++++++++++++++++

I'll await your reply.
Ruth

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:33 AM

Posted 24 July 2005 - 04:01 PM

Okay, let's call in another helper.

Open HiJackThis
Go to the misc tools section
Click on "Open ADS Spy"
Click on "Scan"
select all it find
remove selected
Close HijackThis.

***

Now rerun AboutBuster till it no longer finds streams or files.

***

Go to start - software panel
set it to classic view
open java consol
clean out temp files and cache
close java consol and all other windows.

***

Open HiJackThis
go to the misc tools section again.
Click on the Box that says "Uninstall Manager"
Click on MyWebSearch
Click on Delete this entry
Click "Yes"
Close HijackThis again.

***

Now reboot the computer. Can you rerun Panda to see what is left?

Edited by g2i2r4, 24 July 2005 - 04:02 PM.



Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users