Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spy Sheriff


  • This topic is locked This topic is locked
15 replies to this topic

#1 Littlewolf

Littlewolf

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 27 December 2005 - 03:08 PM

Hi everyone,
My name is Frank and this is my first post. I found this site by googling on spy sheriff. I am a major amateur when it comes to computers and I am hoping someone can help me.

I spent some time lurking on this site and made an attempt to remove spy sheriff on my own. I started by cleaning out my temporary internet files, recycle bin and temporary files. Then I followed the instructions on this website. Downloaded Cleanup and Ewido, went into safe mode and ran them. Then rebooted in normal mode and used control panal to remove the files listed (some were not there but I deleted what I found).

Then I went to smitfraud.reg and cleaned out the prefetch file. The prefetch file was in c:\WINNT not c:\Windows though. After reboot it seemed that I still had some issues, and the issues were different depending on whether it was me or my wife who logged in. So this morning I downloaded Ad-Aware SE, Spybot S&D, and Spywareblaster. Ran those to remove problems then ran through Ewido again.

I seem to have removed spy sheriff and regained control of my wallpaper, but personal setting are slow on log on and I keep getting an Ewido messege saying that it has found a program that needs to be cleaned. When I select clean Ewido comes back several minutes later asking me to clean the same file which is alt.exe. Same with my wife, but Ewido refers to a different file when logged on as her.

Here is my last HJT file...
Do I have to make fixes under both our usernames?

Logfile of HijackThis v1.99.1
Scan saved at 2:09:27 PM, on 12/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\brsvc01a.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R3 - URLSearchHook: (no name) - {1D1C46E1-6954-A963-3E5E-DE4F121373D8} - avpmondll.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: C:\WINNT\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINNT\adsldpbf.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet20001\winlogon.exe
O4 - HKLM\..\Run: [wormexe] forces_elite.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [prcmon] KeywordFinder.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [dmckt.exe] C:\WINNT\System32\
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [srbho] prgsys0984.exe
O4 - HKCU\..\Run: [SpyElim] newbreed.exe
O4 - HKCU\..\Run: [barint] RtlFindVal.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINNT\alt.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{8493F254-CA2B-4128-B3FA-EA6A3EA0A3E7}: NameServer = 85.255.114.93,85.255.112.6
O20 - Winlogon Notify: browsela - C:\WINNT\system32\browsela.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msupdate - C:\WINNT\SYSTEM32\msupdate32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:47 PM

Posted 28 December 2005 - 04:53 AM

Hello, you have several different infections which need a special treatment.

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download win32delfkil.exe: http://users.telenet.be/marcvn/tools/win32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.
Follow the prompts. It will tell you to shut down your system with the power button, so please do so, because this is with a reason.
Restart your computer afterwards.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Download and install CCleaner
Do not use it yet.

* I see you have already Ewido installed. Please update it, but don't scan with it yet!

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {1D1C46E1-6954-A963-3E5E-DE4F121373D8} - avpmondll.dll (file missing)
O2 - BHO: C:\WINNT\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINNT\adsldpbf.dll
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet20001\winlogon.exe
O4 - HKLM\..\Run: [wormexe] forces_elite.exe
O4 - HKLM\..\Run: [prcmon] KeywordFinder.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [dmckt.exe] C:\WINNT\System32\
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [srbho] prgsys0984.exe
O4 - HKCU\..\Run: [SpyElim] newbreed.exe
O4 - HKCU\..\Run: [barint] RtlFindVal.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINNT\alt.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8493F254-CA2B-4128-B3FA-EA6A3EA0A3E7}: NameServer = 85.255.114.93,85.255.112.6
O20 - Winlogon Notify: browsela - C:\WINNT\system32\browsela.dll
O20 - Winlogon Notify: msupdate - C:\WINNT\SYSTEM32\msupdate32.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINNT\inet20001 <== folder
C:\WINNT\alt.exe
C:\WINNT\system32\browsela.dll
C:\WINNT\SYSTEM32\msupdate32.dll

* Still in safe mode Start Ccleaner
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan.
Look if some entries are still present I asked you to check and fix before and check and fix them again.

If you see an entry as well in your O4 lines in hijackthis, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINNT\system32\dm***.exe (the *** stand for random letters) or starting with hg... for example:
O4 - HKLM\..\Run: [hg***.exe] C:\WINNT\System32\hg***.exe
Check it as well. If not sure, leave it and only check the ones I asked you to check


Click Fix Checked. Close HijackThis, and click OK to proceed.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together a fresh HijackThis log, the contents of the logfile c\windelf.txt, the log from Fixwareout which you will find here: C:\fixwareout\report.txt, the log from smitrem (C:\smitfiles.txt) and the ewido-log so I can take another look.

So I need 6 logs in your next reply. If you can't post them in one post, use two posts instead.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Littlewolf

Littlewolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 28 December 2005 - 01:37 PM

Thanks for your help on this.

Here is the Panda Scan Report

Incident Status Location

Spyware:Spyware/BetterInet Not disinfected C:\RECYCLER\S-1-5-21-2388472260-2191333442-3289738092-500\Dc2\data1.dat
Spyware:Spyware/BetterInet Not disinfected C:\RECYCLER\S-1-5-21-2388472260-2191333442-3289738092-500\Dc2\data2.dat
Adware:Adware/IPInsight Not disinfected C:\WINNT\inf\alchem.inf
Adware:Adware/Transponder Not disinfected C:\WINNT\inf\polall1r.inf
Adware:Adware/Twain-Tech Not disinfected C:\WINNT\inf\twaintec.inf
Virus:Trj/Aram.A Not disinfected C:\WINNT\system32\cswmx.exe
Adware:adware/swimsuitnetwork Not disinfected C:\WINNT\system32\MYDLL.dll
Adware:adware/adsmart Not disinfected C:\WINNT\system32\vx.tll


Logfile of HijackThis v1.99.1
Scan saved at 1:17:49 PM, on 12/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\brsvc01a.exe
C:\WINNT\System32\brss01a.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#4 Littlewolf

Littlewolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 28 December 2005 - 01:46 PM

Here is the windelf.txt log...
************************
* WIN32DELFKIL LOGFILE *
************************


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------
browsela.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui

Notify key
----------
subkey browsela is present!



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon

Notify key
----------

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINNT\SYSTEM32\CSWMX.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool



smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 12/28/2005
The current time is: 11:11:44.54

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

svcp.csv


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 672 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:08:02 PM, 12/28/2005
+ Report-Checksum: 9888F9C8

+ Scan result:

C:\Documents and Settings\Kathy\Cookies\kathy@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Kathy\Cookies\kathy@ehg-comcast.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kathy\Cookies\kathy@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kathy\Local Settings\Temp\vx3.game -> Trojan.Spabot.u : Cleaned with backup
C:\RECYCLER\NPROTECT\01615232.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01615248.dll -> Downloader.Delf.lh : Cleaned with backup
C:\RECYCLER\NPROTECT\01615251.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01615254.dll -> Downloader.Delf.lh : Cleaned with backup
C:\RECYCLER\NPROTECT\01615259.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01615265.dll -> Downloader.Delf.lh : Cleaned with backup
C:\RECYCLER\NPROTECT\01615289.exe -> Worm.Locksky.m : Cleaned with backup
C:\RECYCLER\NPROTECT\01615296.exe -> Trojan.Spabot.u : Cleaned with backup
C:\RECYCLER\NPROTECT\01615315.exe -> Downloader.Small.cah : Cleaned with backup
C:\RECYCLER\NPROTECT\01615337.EXE -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
C:\RECYCLER\NPROTECT\01615338.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\NPROTECT\01615341.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01615442.sys -> Downloader.Agent.tc : Cleaned with backup
C:\RECYCLER\NPROTECT\01615515.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01615601.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01615703.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01651964.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
C:\RECYCLER\NPROTECT\01651978.exe -> Worm.Locksky.m : Cleaned with backup
C:\RECYCLER\NPROTECT\01651979.exe -> Trojan.Spabot.u : Cleaned with backup
C:\RECYCLER\NPROTECT\01651986.exe -> Downloader.Small.cah : Cleaned with backup
C:\RECYCLER\NPROTECT\01651999.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01652000.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01652009.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\NPROTECT\01652010.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01652011.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01652012.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01652038.exe -> Downloader.Small.cah : Cleaned with backup
C:\RECYCLER\NPROTECT\01652189.EXE -> Downloader.Tibs.x : Cleaned with backup
C:\RECYCLER\NPROTECT\01652374.exe -> Worm.Locksky.m : Cleaned with backup
C:\RECYCLER\NPROTECT\01652467.inx -> Downloader.Tibs.x : Cleaned with backup
C:\RECYCLER\NPROTECT\01652468.TXT -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\NPROTECT\01652469.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01652470.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01652473.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652474.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652475.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652476.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652479.DLL -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652480.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652481.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652482.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652483.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652484.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652485.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652486.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652487.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652488.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652489.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652490.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652491.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652494.EXE -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
C:\RECYCLER\NPROTECT\01652495.DLL -> Downloader.Delf.lh : Cleaned with backup
C:\RECYCLER\NPROTECT\01652523.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652543.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652545.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652557.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652572.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652577.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652585.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652593.EXE -> Trojan.Spabot.u : Cleaned with backup
C:\RECYCLER\NPROTECT\01652603.EXE -> Downloader.Small.atl : Cleaned with backup
C:\RECYCLER\NPROTECT\01652606.EXE -> Downloader.Small.cdc : Cleaned with backup
C:\RECYCLER\NPROTECT\01652609.EXE -> Trojan.Spabot.u : Cleaned with backup
C:\RECYCLER\NPROTECT\01652638.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652647.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652651.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652654.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652659.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652661.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652673.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652679.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652687.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652708.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652715.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652717.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652725.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652730.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652732.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652734.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652736.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652738.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652742.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652744.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652746.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652751.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652753.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652756.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652761.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652770.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652778.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652784.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652793.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652799.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652800.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652803.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652806.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652807.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652809.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652812.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652814.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652817.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652819.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652820.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652923.dll -> Downloader.Delf.lh : Cleaned with backup
C:\RECYCLER\NPROTECT\01652924.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652925.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\RECYCLER\NPROTECT\01652928.EXE -> Worm.Locksky.m : Cleaned with backup
C:\RECYCLER\NPROTECT\01652929.DLL -> Downloader.Delf.lh : Cleaned with backup
C:\RECYCLER\NPROTECT\01652930.EXE -> Hijacker.Delf.eb : Cleaned with backup
C:\RECYCLER\NPROTECT\01652991.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01652993.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01652994.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01652995.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01653017.TXT -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\NPROTECT\01653018.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01653019.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01653020.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\01653056.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\WINNT\system32\sysc.exe -> Worm.Locksky.m : Cleaned with backup
C:\WINNT\__delete_on_reboot__adsldpbf.dll -> Downloader.Delf.lh : Cleaned with backup


::Report End

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:47 PM

Posted 28 December 2005 - 02:21 PM

This is looking a lot better!! :thumbsup:

Delete next files manually:

C:\WINNT\inf\alchem.inf
C:\WINNT\inf\polall1r.inf
C:\WINNT\inf\twaintec.inf
C:\WINNT\system32\cswmx.exe
C:\WINNT\system32\MYDLL.dll
C:\WINNT\system32\vx.tll

Then run Ccleaner again and click: Run Cleaner.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot and post a new hijackthislog as a final checkup.
Also let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Littlewolf

Littlewolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 28 December 2005 - 05:41 PM

Here is the last log.
I seem to have printer issues, several popups in a row from the task bar saying I am out of ink when I just filled up yesterday, then a normal ink reading, then a symbol indicating there is no printer device detected.

Seems slow starting up and connecting to the internet, but perhaps those are seperate issues.

But the spy sheriff and other problems appear gone.
Will this also have fixed the issue with other users?


Logfile of HijackThis v1.99.1
Scan saved at 5:28:00 PM, on 12/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\brsvc01a.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\brss01a.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINNT\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:47 PM

Posted 28 December 2005 - 06:09 PM

Hello,

Your hijackthislog looks clean again.
The printer issues are indeed something else, so for that it's better you reinstall your printersoftware+drivers.

The slow startup.. keep in mind you have the entire symantec package installed. This really slows down your system. Also speeddoctor is imho not really improving your system, on the contrary. (but that's a personal opinion)

There are also some startupentries present that are not really required and slowdown your startip. you may safely disable them via start > run > type: msconfig > tab startup.
There you may uncheck next:

NeroCheck.exe (related with Nero Burning Rom, Checks for driver issues)
SSBkgdUpdate (ScanSoft OmniPage auto updater. Can be disabled using the main program's options)
SM1BG.EXE (USB driver for downloading from within Napster to portable MP3 players)
QuickTime Task (System Tray access to Apple's "Quick Time" viewer)
pptd40nt.exe (ScanSoft PaperPort)
MMTray (related to musicmatch)
mmtask (part of musicmatch jukebox)
IndexSearch (also related to Scansoft Paperport)
igfxtray.exe (Quick access to the control panel, also available via Start -> Settings -> Control Panel)
brctrcen.exe-Controlcenter (Brother scanner 'Control Center' application; can be started manually)


The choice is yours ofcourse whether you find above necessary to start with windows or not. So if you find some necessay, leave them, if not, You can always enable them again afterwards.
If you need to program, you can also access them via start > all programs

Also, defragmenting will also improve the systemspeed. Don't use speeddoctor this time to defragment, but the windows utility:
http://helpdesk.its.uiowa.edu/windows/inst...ions/defrag.htm
You'll be amazed how fragmented your system is, even when speeddoctor running in the background all the time (because normall speeddoctor defragments your system)

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Happy surfing again! :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Littlewolf

Littlewolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 28 December 2005 - 06:16 PM

Thank you very much.
Question: I am not familiar with speeddoctor. Did it come installed with Gateway? How can I be rid of it?
Also, I have heard bad things about Norton. Can you recommend another virusscanner to replace it?

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:47 PM

Posted 28 December 2005 - 06:22 PM

Hello,

I meant speeddisk instead of speeddoctor (mixing up with windoctor, which is a part of Norton Utilities)
Speeddisk is a part of Norton Systemworks.

As I read in above post, you don't want to use Norton anymore, so in this case, uninstall everything Norton/symantec related in your start > controlpanel > software > add/remove programs
This will also uninstall speeddisk.

There are FREE and good other scanners as well..
Also, I suggest you install a firewall.

AVG, AntiVir® OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Zonealarm, Agnitum Outpost Free OR Kerio are FREE firewalls.

Understanding and using firewalls
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Littlewolf

Littlewolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 28 December 2005 - 07:31 PM

Thanks so much for your help and advice.
I worked out the printing issue.
Do you have a name?
Happy new year. :thumbsup:

Edited by Littlewolf, 28 December 2005 - 07:32 PM.


#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:47 PM

Posted 28 December 2005 - 07:34 PM

Glad I could help. :thumbsup:

Yes, I have a name.. lol It's Mieke

Happy New Year as well!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Littlewolf

Littlewolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 29 December 2005 - 06:45 PM

Hi Mieke,
I tired loading the Zone Alarm Firewall you suggested.
It ran its own scan first and said it found Alexa Toolbar. :thumbsup:

Can I load the Firewall or should I attempt to remove this first?
I reran Ad-Aware, Ewido, and Spybot S&D to no avail.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:47 PM

Posted 29 December 2005 - 07:11 PM

Hello,

Uuum, did you install Zonealarm with the virusscanner in it?
Don't, because you already have an antivirus and will interfere with your Norton.
I wonder what file Zonealarm flags as the Alexa toolbar. Can you tell me this? Because most probably Zonealarm flags the C:\Windows\Web\related.htm which is harmless and is installed on every XP system by default. Just let me know what file zonealarm exactly flags.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Littlewolf

Littlewolf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 31 December 2005 - 08:47 AM

I have not installed the firewall yet. When you go to zonelabs.com they ask you to use there scanner first and make sure there are no problems before installing the firewall. The scan turns up "AlexaToolbar - Browser Plugin"

Here is what the scan results says when you click on more details...

AlexaToolbar
Browser Plugin

Alexa Toolbar is a program that includes a pop-up manager (it blocks pop-ups), a web search function (powered by Google) and buttons that provide additional information, such as site information, and related sites. Alexa also sends information about all web pages you visit back to Alexa's servers. It includes both page URLs and data you sent to web sites as a part of URL.



How dangerous is it?




Privacy

Alexa Toolbar collects URLs that may contain personal information about a user such as name, address, phone, and e-mail address.
Security
Your personal information may be transmitted over the internet insecurely



I went back and used Ad-aware, Ewido and SpyBot S&D but none of those turns up anything.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:47 PM

Posted 31 December 2005 - 08:59 AM

Yes, I know what Alexa is, but I want to know where exactly Zonealarm finds that alexa toolbar on your system, because I think this is a False Positive, otherwise Spybot and Adaware would have spotted it as well. :thumbsup:
Keep in mind, zonealarm is mainly a firewall and no antispyware and antivirusscanner. So the results it shows on that are not that trustworthy as the better known spywarescanners. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users