Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unbe-freakin'-lievable! I'm drowning, Help!


  • This topic is locked This topic is locked
18 replies to this topic

#1 garglemonkey

garglemonkey

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 10 August 2005 - 12:45 AM

Kind folks,
I tried to cure my system with ad-aware, spybot and my Symantec AntiVirus but alas - they keep coming... Tried uninstalling iexplore but somehow miraculously it comes back, too. Symantek keeps showing and deleting different Trojans and Worms but lo and behold - they, too keep coming! Please, help!


Logfile of HijackThis v1.99.1
Scan saved at 10:21:37 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\DOCUME~1\Anatoly\LOCALS~1\Temp\sysnet.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [o3tV37T] ershela3.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Anatoly\LOCALS~1\Temp\sysnet.exe
O4 - HKCU\..\Run: [Z029RXfFh] ds170.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86220112-BD54-4FB6-B531-00B0977BA0B2}: NameServer = 192.168.0.1,4.2.2.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:34 PM

Posted 11 August 2005 - 08:27 AM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Disable your Adwatch, because it can interfere with the fixes.

Uninstall next if present: LanBridge
Reboot afterwards.

To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem

* Download and install CCleaner
Do not use it yet.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Download LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!

* Please download ewido:
http://www.ewido.net/en/download/
Let it update, but don't let it scan yet!!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [o3tV37T] ershela3.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Anatoly\LOCALS~1\Temp\sysnet.exe
O4 - HKCU\..\Run: [Z029RXfFh] ds170.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, this is normal.


* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\Common Files\services.exe <== please don't try to delete services.exe present in your system32-folder
C:\WINDOWS\system32\lanbrup.exe
C:\WINDOWS\system32\wirelanb.dll
C:\Program Files\Common Files\mc-110-12-0000079.exe

* Still in safe mode Start Ccleaner
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

Post back a fresh HijackThis log and the log from ewido so I can take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 garglemonkey

garglemonkey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 August 2005 - 03:42 AM

Thank you very much indeed, Miekiemoes!
This seems to have worked for now, but it is better if you'd take another look, so here are the Ewido scan report and the fresh HJT log in this particular order. Please,
let me know what you think.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:21:50 AM, 8/12/2005
+ Report-Checksum: 5884DB04

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-484763869-842925246-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-484763869-842925246-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-484763869-842925246-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-484763869-842925246-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
C:\Program Files\Common Files\system32.dll/Catcher.dll -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Program Files\DNS\Catcher.dll -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\DNS\gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Program Files\InetGet\mc-110-12-0000079.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\WINDOWS\system\eupihvfpp.exe -> TrojanDownloader.Small.ayh : Cleaned with backup
C:\WINDOWS\system32\EDowST3.exe -> TrojanDownloader.QDown.z : Cleaned with backup
C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup
C:\WINDOWS\system32\nsx41.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\oahypxrc.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\yvdzyv.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.12:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hotlog : Cleaned with backup
-> : Error during cleaning
:mozilla.24:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.35:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.36:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.38:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.42:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.43:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.47:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.48:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.49:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.56:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.57:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.58:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.60:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.61:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.63:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.74:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.75:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.76:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.79:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.80:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.85:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.87:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.95:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.99:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.113:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.115:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.122:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Sex-in-www : Cleaned with backup
:mozilla.125:E:\WINDOWS\Application Data\Mozilla\Profiles\default\9lnd0uua.slt\cookies.txt -> Spyware.Cookie.Trakkerd : Cleaned with backup
E:\WINDOWS\Cookies\default@ad2.doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
E:\WINDOWS\Cookies\default@track-star[1].txt -> Spyware.Cookie.Track-star : Cleaned with backup
E:\WINDOWS\Cookies\default@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
E:\WINDOWS\Cookies\default@hg1.hitbox[3].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
E:\WINDOWS\Cookies\default@stats3.porntrack[1].txt -> Spyware.Cookie.Porntrack : Cleaned with backup
E:\WINDOWS\Cookies\default@ads.adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
E:\WINDOWS\Cookies\default@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
E:\WINDOWS\Cookies\default@ad.doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
E:\WINDOWS\Cookies\default@www.popuptraffic[2].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
E:\WINDOWS\Cookies\default@www.myaffiliateprogram[3].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
E:\WINDOWS\Cookies\default@ehg-uniontrib.hitbox[4].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
E:\WINDOWS\Cookies\default@hg1.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
E:\WINDOWS\Cookies\default@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
E:\WINDOWS\Cookies\default@track-star[2].txt -> Spyware.Cookie.Track-star : Cleaned with backup
E:\WINDOWS\Cookies\default@www.myaffiliateprogram[4].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
E:\WINDOWS\Cookies\default@2o7[4].txt -> Spyware.Cookie.2o7 : Cleaned with backup
E:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup


::Report End

-------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:28:11 AM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\smxeenc.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\obvzsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [smxeenc] C:\WINDOWS\smxeenc.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86220112-BD54-4FB6-B531-00B0977BA0B2}: NameServer = 192.168.0.1,4.2.2.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\obvzsvc.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:34 PM

Posted 12 August 2005 - 03:52 AM

Hello,

Some things are showing in your log now that weren't present before and I don't like them at all... but first I want to know what they exactly are..

Go to next site:
http://virusscan.jotti.org/

On top you'll find: File to upload and scan.
Now browse to the next files one by one:

C:\WINDOWS\obvzsvc.exe
C:\WINDOWS\smxeenc.EXE

Click submit and let it scan.
Post the results in your next replyof both files.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 garglemonkey

garglemonkey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 August 2005 - 11:51 AM

Here's what the online malware scan found:

File: obvzsvc.exe
Status:
POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 5d596fcc1ffb8e6fb542105e0aa051e9
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found Trojan.Dropper.Small.30 (probable variant)

---------------------------------------------------------------------------


File: smxeenc.exe
Status:
OK
MD5 236eb04e55809893270e119f09adbb91
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:34 PM

Posted 12 August 2005 - 11:58 AM

Hello,

Well, that C:\WINDOWS\obvzsvc.exe needs to go, that's for sure.

First of all, check and fix next in hijackthis:

O4 - HKLM\..\Run: [smxeenc] C:\WINDOWS\smxeenc.EXE
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\obvzsvc.exe


Then Open hijackthis again > click config (bottom right) > misc tools > delete a file on reboot.
In the field, copy and paste C:\WINDOWS\obvzsvc.exe and click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot. Click YES.

Your computer must reboot now.

I also want you to submit next file: C:\WINDOWS\smxeenc.EXE because I'm not sure whether it's legit or not. So I'll analyse it.

Submit it here:
http://www.bleepingcomputer.com/submit-malware.php

Post a new hijackthislog afterwards.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 garglemonkey

garglemonkey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 August 2005 - 12:52 PM

OK, I did all that you asked me, but before i show you the logs, this is what my Symantec Antivirus found when i updated it:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan.cmapp
File: C:\Program Files\asys\Stb.exe
Location: C:\Program Files\asys
Computer: TOLIK
User: Anatoly
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, August 12, 2005 9:56:04 AM

I also submitted the file you asked me to.
Here is the fresh log from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:45:26 AM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86220112-BD54-4FB6-B531-00B0977BA0B2}: NameServer = 192.168.0.1,4.2.2.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Tschoos for now!
(Sorry, I'm in and out of here so i may not always be able to reply immediately)

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:34 PM

Posted 12 August 2005 - 01:07 PM

Hello,

Delete next folder in safe mode: C:\Program Files\asys

About the C:\WINDOWS\smxeenc.EXE, do you have an idea what this is? I'll submit it somewhere else for further analysis.

I'll let you know afterwards.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:34 PM

Posted 12 August 2005 - 01:13 PM

Ok, delete that smxeenc.EXE

This one is responsible for producing banners.. and we don't want that. :thumbsup:

Search in your windows-folder if there is a file called ofxnm.dat and delete it also.

Edit.. post a new hijackthislog afterwards.

Edited by miekiemoes, 12 August 2005 - 05:24 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 garglemonkey

garglemonkey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 August 2005 - 05:53 PM

OK, i got it all done - all three have been deleted (manually in safe mode) and a fresh
HJT log follows. Hopefully i won't have to pick your brains any longer :thumbsup:
Oh, by the way, Ewido security Guard comes on when i turn on the pc - do you recommend I keep it this way? I know that this machine is old and has limited memory so the fewer applications i am running at any time - the more chance i got to get things done... Also, before i forget - i tried previously a program called BPS Spyware and Adware remover and it may be one of the reasons for these problems. I uninstalled it but it still shows on the Control Panel\Add or Remove Programs. Now, when i try to remove it it tells me that it doesn't exist, therefore it cannot remove it; do you think this may be a problem? Two more programs are also showing there that i am not sure about ( i think i tried uninstalling them at one point because i could not identify them - i know, i'm terribly stupid!!!) they are: ANIO Service and ANIWZCS2 Service.
Here goes the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:36:01 PM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86220112-BD54-4FB6-B531-00B0977BA0B2}: NameServer = 192.168.0.1,4.2.2.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:34 PM

Posted 12 August 2005 - 06:15 PM

Hello, I see a clean log. :thumbsup:

About Ewido, If you don't want Ewido running in the background, Open Ewido, choose status, click Remove Guard and reboot. :flowers:

Also, before i forget - i tried previously a program called BPS Spyware and Adware remover and it may be one of the reasons for these problems

Yes, BPS Spyware and Adware remover is a so called spyware remover with a bad reputation. Also read in my signature: "Click here and you'll find out which scanners NOT to install!! " for more info.
To get rid of that entry in your Add/remove:
Open hijackthis
Click Config (bottom right)
Misc Tools
Open Uninstall Manager
Select BPS Spyware and Adware remover and click Delete this entry

Two more programs are also showing there that i am not sure about ( i think i tried uninstalling them at one point because i could not identify them - i know, i'm terribly stupid!!!) they are: ANIO Service and ANIWZCS2 Service.


Don't worry about them, they are legit and both related to http://www.alphanetworks.com/

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :trumpet:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:34 PM

Posted 13 August 2005 - 01:20 AM

Hello,

Can you do me a little favour please?
Download rootkitrevealer: http://www.sysinternals.com/utilities/rootkitrevealer.html
Unzip it and click the scan button.
When the scan is done, click File > save on top of the menu.
Save the log and post it in your next reply.

Also, perform next:

Open notepad and copy and paste next bold in it:

dir %WinDir%\*enc.exe /a h >> look1.txt
dir %WinDir%\*dll.exe /a h >> look2.txt
dir %WinDir%\*svc.exe /a h >> look3.txt
copy look1.txt + look2.txt + look3.txt = show.txt
del look*.txt
start notepad show.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
This is how the batch must look after you created it: Posted Image
Doubleclick look.bat and notepad will open with some txt in it.
Copy and paste this also in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 garglemonkey

garglemonkey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 13 August 2005 - 06:39 PM

Hi,
It's a pleasure watching you work - you REALLY seem to know what you are doing, man! My pc has been performing pretty well after the "cleanup" conducted by you!
Thanx, your help is sincerely appreciated!!!
This is that last info you wanted to see:

Rootkit reveal:
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 10/3/2004 9:37 PM 0 bytes Hidden from Windows API.

Look.bat:

Volume in drive C has no label.
Volume Serial Number is 14C2-058E

Directory of C:\WINDOWS


Directory of C:\Documents and Settings\Anatoly\Desktop

Volume in drive C has no label.
Volume Serial Number is 14C2-058E

Directory of C:\WINDOWS


Directory of C:\Documents and Settings\Anatoly\Desktop

Volume in drive C has no label.
Volume Serial Number is 14C2-058E

Directory of C:\WINDOWS

12/12/1989 10:10 AM 126,976 obvzsvc.exe
1 File(s) 126,976 bytes

Directory of C:\Documents and Settings\Anatoly\Desktop



Edited by garglemonkey, 14 August 2005 - 01:03 AM.


#14 garglemonkey

garglemonkey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 14 August 2005 - 01:21 AM

Oooops!

I just turned on my Ad-watch and guess what it showed:

! Warning! 11:08:51 PM
An attempt to alter a protected object has been detected.
(Attempt to delete a registry value)
Root: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\CurrentVersion\Run
Value: lanbrup
Data: C:\WINDOWS\system32\lanbrup.exe
New Data:
Please choose how to proceed.

Click here for advice

Accept Block


This is pretty much all that it's showing.I also manually (Win Explorer) looked for lanbrup.exe in system32 but it was not there. What should I do? Does this mean that lanbrup.exe has not been deleted and is still causing problems? I probably messed up something somewhere :thumbsup: I will keep this on as is until i get instructions from you how to proceed...

Cheers for now

Edited by garglemonkey, 14 August 2005 - 01:48 AM.


#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:34 PM

Posted 14 August 2005 - 04:03 AM

Hello,

Thanks for the kind words. :thumbsup:

Please delete C:\WINDOWS\obvzsvc.exe

About your Adwatch... Well, after turning on your Adwatch, it sees changes that you made yourself in the registry (fixing in hijackthis) and it sees the deletion of a key also as an attempt... and that's why it is giving that alert.
In such cases you have to allow it instead of blocking it...
Now you blocked it, most probably next entry will be present in hijackthis again:
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe

and maybe some others also you checked and fixed before.

So please disable your adwatch again, check and fix those entries again and after enabeling adwatch again, make sure you allow it this time instead of blocking the changes. However, Adwatch can be very stubborn in this and blocks the changes anyway, no matter what you tell adwatch to do.
So in that case, I rather suggest you uninstall adaware Se professional, reboot, check and fix the bad entries in hijackthis again and install adaware Se professional afterwards again.

BUT.. first make sure that C:\WINDOWS\system32\lanbrup.exe is really gone from your system.

Look in your add/remove programs if LanBridge is still present and uninstall it.

Also check if next are still present in your system32-folder and delete them:

wirelanb.dll
lanbrup.exe
lanbruns.exe (if you uninstalled LanBridge, this one won't be present anymore)

Let me know afterwards. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users