Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Cleaning The Last Of These Popups


  • This topic is locked This topic is locked
13 replies to this topic

#1 fearthebuckeye

fearthebuckeye

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 07 January 2006 - 05:37 PM

I cannot remove Virtual Bouncer and I am having a great deal of trouble with popups from the site 0dp.com, also everytime i use explorer i get virus warnings (at least 3 or 4). I have followed all of the removal steps on the post about what to do before posting your HiJack log. These steps removed some things but i fear that they are just getting loaded on again as soon as i reboot. Here is my log, hope you can help me out. XP home edition i believe.
Thank you for your help.
BB

Logfile of HijackThis v1.99.1
Scan saved at 5:34:58 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1135874663\ee\AOLSoftware.exe
C:\WINDOWS\system32\F5F6F8FB01FAFD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\SYS99.exe
C:\WINDOWS\sys11-1405318421.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\PROGRA~1\1634255\1634255.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Stacey\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5A9AD4C1-1D0C-12AB-24E4-65833CDEC8CA} - C:\WINDOWS\system32\erfoozwu.dll (file missing)
O2 - BHO: (no name) - {63B7E4C1-303C-2492-09A7-57AE79E8E5FE} - C:\WINDOWS\system32\erfoozwu.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {DA69EC18-020C-EEFF-EAC6-0DFB266E8989} - C:\WINDOWS\Bqnemadr.dll (file missing)
O2 - BHO: SuperSecretServer.Shhh - {FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} - C:\WINDOWS\system32\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63}.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Search - {77958616-0725-CDD8-79B7-219B1257D570} - C:\WINDOWS\Bqnemadr.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135874663\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exe
O4 - HKLM\..\Run: [iphuublA] C:\WINDOWS\iphuublA.exe
O4 - HKLM\..\Run: [2F3032353A34373A] F5F6F8FB01FAFD.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe
O4 - HKLM\..\Run: [sys11-1405318421] C:\WINDOWS\sys11-1405318421.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [1634255] C:\PROGRA~1\1634255\1634255.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136495080453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MissDNS logs DNS cache miss hits (Network Monitor) - Unknown owner - C:\Program Files\Network Monitor\MissDNS.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 fearthebuckeye

fearthebuckeye
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 09 January 2006 - 07:14 PM

I have removed most of the bad stuff from this computer but there are still a couple of things that need to be deleted and I really need some one to walk me through the steps. I have followed the procedure in scanning my computer as outlined in the posting about what you should do before you post your HiJackThis log. Now here it is. Thanks for your time and effort.

Bryan



Logfile of HijackThis v1.99.1
Scan saved at 7:08:24 PM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1135874663\ee\AOLSoftware.exe
C:\WINDOWS\system32\F5F6F8FB01FAFD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\SYS99.exe
C:\WINDOWS\sys11-1405318421.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\PROGRA~1\1634255\1634255.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Documents and Settings\Stacey\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5A9AD4C1-1D0C-12AB-24E4-65833CDEC8CA} - C:\WINDOWS\system32\erfoozwu.dll (file missing)
O2 - BHO: (no name) - {63B7E4C1-303C-2492-09A7-57AE79E8E5FE} - C:\WINDOWS\system32\erfoozwu.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {DA69EC18-020C-EEFF-EAC6-0DFB266E8989} - C:\WINDOWS\Bqnemadr.dll (file missing)
O2 - BHO: SuperSecretServer.Shhh - {FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} - C:\WINDOWS\system32\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63}.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Search - {77958616-0725-CDD8-79B7-219B1257D570} - C:\WINDOWS\Bqnemadr.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135874663\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exe
O4 - HKLM\..\Run: [iphuublA] C:\WINDOWS\iphuublA.exe
O4 - HKLM\..\Run: [2F3032353A34373A] F5F6F8FB01FAFD.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe
O4 - HKLM\..\Run: [sys11-1405318421] C:\WINDOWS\sys11-1405318421.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [1634255] C:\PROGRA~1\1634255\1634255.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136495080453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MissDNS logs DNS cache miss hits (Network Monitor) - Unknown owner - C:\Program Files\Network Monitor\MissDNS.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#3 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 14 January 2006 - 03:08 PM

Hello Bryan,

Before any work can be done on this machine, there is something that requires your immediate intervention.

This machine is messed up because you have several anti-virus programs on your machine (McAfee & Syamntec). That's not a good idea!! Posted Image

Alike firewalls, anti-virus programs have conflicts co-existing with each other & produces undesirable results. Please uninstall ALL leaving only one of them.

ALL the antivirus programs must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

After you have completed the above, please post a fresh HJT log.
I'm subscribed to this thread & will receive almost immediate notification once that comes in.

Thanks.
sUBs

Edited by sUBs, 14 January 2006 - 03:08 PM.


#4 fearthebuckeye

fearthebuckeye
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 15 January 2006 - 02:34 PM

I am trying to remove Norton from my computer but everytime i go to take it off in the add/delete programs window nothing happens. I have already removed the Symantec Live Update Stuff but when I click on remove for the Norton AntiVirus 2006 nothing happens and the add/remove window becomes frozen. what should i do?

#5 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 15 January 2006 - 02:51 PM

Symantec has a guide for it's removal.

http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=

#6 fearthebuckeye

fearthebuckeye
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 15 January 2006 - 03:28 PM

Well more problems, when i try to run that SymNRT.exe to remove norton nothing happens! the window comes up and has the options RUN and CANCEL. I pick run and then it goes away and nothing happens. This thing is about to tossed out the window.

B

#7 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 15 January 2006 - 03:51 PM

Have you ran the 2 other files - SYMMSICLEANUP.reg & MSIFIX.bat ?

If you have not, do so now. Reboot & post a new HJT log

#8 fearthebuckeye

fearthebuckeye
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 15 January 2006 - 05:14 PM

Here is the new HJT log. I ran the two other programs that you said, rebooted, and ran the HJT.


Logfile of HijackThis v1.99.1
Scan saved at 5:11:42 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1135874663\ee\AOLSoftware.exe
C:\WINDOWS\system32\F5F6F8FB01FAFD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\SYS99.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\PROGRA~1\1634255\1634255.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Documents and Settings\Stacey\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5A9AD4C1-1D0C-12AB-24E4-65833CDEC8CA} - C:\WINDOWS\system32\erfoozwu.dll (file missing)
O2 - BHO: (no name) - {63B7E4C1-303C-2492-09A7-57AE79E8E5FE} - C:\WINDOWS\system32\erfoozwu.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: (no name) - {DA69EC18-020C-EEFF-EAC6-0DFB266E8989} - C:\WINDOWS\Bqnemadr.dll (file missing)
O2 - BHO: SuperSecretServer.Shhh - {FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} - C:\WINDOWS\system32\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63}.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Search - {77958616-0725-CDD8-79B7-219B1257D570} - C:\WINDOWS\Bqnemadr.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135874663\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exe
O4 - HKLM\..\Run: [iphuublA] C:\WINDOWS\iphuublA.exe
O4 - HKLM\..\Run: [2F3032353A34373A] F5F6F8FB01FAFD.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [1634255] C:\PROGRA~1\1634255\1634255.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136495080453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MissDNS logs DNS cache miss hits (Network Monitor) - Unknown owner - C:\Program Files\Network Monitor\MissDNS.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#9 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 15 January 2006 - 05:28 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order.


* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *


Click Start -> Run - type SERVICES.MSC & then click on the OK button
  • Locate the service - MissDNS logs DNS cache miss hits (Network Monitor)
  • Double-click on it to open the Properties dialog.
    - Stop the service by using the Stop button.
    - Change the Startup type to Disabled & then click on the OK button
  • Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
  • In the popup box that appears, copy/paste Network Monitor
  • Click on the OK button & answer No if prompted to reboot
Repeat steps 1-5 for these other services :-
  • Symantec Event Manager (ccEvtMgr)
    Symantec Settings Manager (ccSetMgr)
* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5A9AD4C1-1D0C-12AB-24E4-65833CDEC8CA} - C:\WINDOWS\system32\erfoozwu.dll (file missing)
O2 - BHO: (no name) - {63B7E4C1-303C-2492-09A7-57AE79E8E5FE} - C:\WINDOWS\system32\erfoozwu.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: (no name) - {DA69EC18-020C-EEFF-EAC6-0DFB266E8989} - C:\WINDOWS\Bqnemadr.dll (file missing)
O2 - BHO: SuperSecretServer.Shhh - {FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} - C:\WINDOWS\system32\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63}.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Search - {77958616-0725-CDD8-79B7-219B1257D570} - C:\WINDOWS\Bqnemadr.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exe
O4 - HKLM\..\Run: [iphuublA] C:\WINDOWS\iphuublA.exe
O4 - HKLM\..\Run: [2F3032353A34373A] F5F6F8FB01FAFD.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [1634255] C:\PROGRA~1\1634255\1634255.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O18 - Filter: text/html - (no CLSID) - (no file)



* * * * * * KILLBOX * * * * * * * * * * * * * * * * * * * * * * *


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • All files (if available)
Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy
  • C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\F5F6F8FB01FAFD.exe
    C:\WINDOWS\SYS99.exe
    C:\PROGRA~1\1634255\1634255.exe
    C:\WINDOWS\system32\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63}.dll
    C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
    C:\WINDOWS\system32\jumb.exe
    C:\WINDOWS\iphuublA.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Network Monitor\MissDNS.exe
    C:\WINDOWS\system32\erfoozwu.dll
    C:\WINDOWS\Bqnemadr.dll
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Run SYMMSICLEANUP.reg again

Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • Viewpoint
    Network Monitor
Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Program Files\Viewpoint
    C:\Program Files\Common Files\Symantec Shared\
    C:\Program Files\Network Monitor\
    C:\PROGRA~1\1634255\
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Edited by sUBs, 15 January 2006 - 05:30 PM.


#10 fearthebuckeye

fearthebuckeye
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 15 January 2006 - 09:12 PM

Ok i have gone through all of the steps in the order you laid out. Here are the results.

Logfile of HijackThis v1.99.1
Scan saved at 9:05:05 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1135874663\ee\AOLSoftware.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Stacey\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135874663\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136495080453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPBBCSvc - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



ONLINE SCAN (Kaspersky)

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, January 15, 2006 21:04:06
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/01/2006
Kaspersky Anti-Virus database records: 171507
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 23782
Number of viruses found: 22
Number of infected objects: 66
Number of suspicious objects: 0
Duration of the scan process: 1684 sec

Infected Object Name - Virus Name
C:\Program Files\Common Files\VCClient\Setup8823.exe/data0010/data0002 Infected: Trojan-Downloader.Win32.VB.tw
C:\Program Files\Common Files\VCClient\Setup8823.exe/data0010/data0003 Infected: Trojan.Win32.VB.tg
C:\Program Files\Common Files\VCClient\Setup8823.exe/data0010/data0004 Infected: Trojan-Clicker.Win32.VB.jz
C:\Program Files\Common Files\VCClient\Setup8823.exe/data0010/data0007 Infected: Trojan.Win32.VB.tg
C:\Program Files\Common Files\VCClient\Setup8823.exe/data0010/data0008 Infected: Trojan.Win32.VB.tg
C:\Program Files\Common Files\VCClient\Setup8823.exe/data0010 Infected: Trojan.Win32.VB.tg
C:\Program Files\Common Files\VCClient\Setup8823.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP12\A0001455.exe Infected: Trojan-Downloader.Win32.VB.tw
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP12\A0001456.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP14\A0001797.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP14\A0001798.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP14\A0001799.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ai
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP14\A0001800.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP14\A0001800.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP14\A0001800.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ai
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP14\A0001800.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP14\A0001800.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP14\A0001800.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP14\A0001808.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP15\A0001912.exe Infected: Trojan-Clicker.Win32.VB.ij
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP15\A0001916.exe Infected: Trojan-Clicker.Win32.VB.ij
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP15\A0001917.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP15\A0001931.dll Infected: not-a-virus:AdWare.Win32.AlexaBar.a
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP21\A0002427.exe Infected: Trojan-Downloader.Win32.PurityScan.ax
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP21\A0002428.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP21\A0002435.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP22\A0003495.dll Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP22\A0003496.exe Infected: Trojan-Downloader.Win32.VB.nw
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP22\A0003500.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.d
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP22\A0003501.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.l
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP22\A0003514.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP22\A0003514.exe/data0003 Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP22\A0003514.exe/data0004 Infected: Trojan-Clicker.Win32.VB.jz
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP22\A0003514.exe/data0007 Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP22\A0003514.exe/data0008 Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP22\A0003514.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP25\A0004676.exe Infected: Trojan-Downloader.Win32.VB.tw
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0004928.dll Infected: not-a-virus:AdWare.Win32.EZula.ca
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0004997.dll Infected: Trojan.Win32.VB.aft
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005000.exe Infected: Trojan.Win32.VB.aft
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005001.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005067.exe Infected: not-a-virus:Monitor.Win32.NetMon.a
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005149.dll Infected: Trojan.Win32.VB.aft
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005150.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005151.exe Infected: Trojan-Clicker.Win32.VB.jz
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005152.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005153.exe Infected: not-a-virus:AdWare.Win32.EZula.bn
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005154.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.l
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005155.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.d
C:\System Volume Information\_restore{274DEA13-040D-4D34-8260-A2985DE5F874}\RP29\A0005156.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.d
C:\WINDOWS\linun.exe Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\bsd.exe/data0003 Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\WINDOWS\system32\bsd.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\WINDOWS\system32\gss.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\gss.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\gss.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\Setup8823.exe/data0010/data0010/data0002 Infected: Trojan-Downloader.Win32.VB.tw
C:\WINDOWS\system32\Setup8823.exe/data0010/data0010/data0003 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\Setup8823.exe/data0010/data0010/data0004 Infected: Trojan-Clicker.Win32.VB.jz
C:\WINDOWS\system32\Setup8823.exe/data0010/data0010/data0007 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\Setup8823.exe/data0010/data0010/data0008 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\Setup8823.exe/data0010/data0010 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\Setup8823.exe/data0010 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\Setup8823.exe Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\smam.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\WINDOWS\system32\smam.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j

Scan process completed.




EWIDO

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:25:32 PM, 1/15/2006
+ Report-Checksum: B7585AD8

+ Scan result:

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} -> Spyware.Alexa : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Spyware.Alexa : Cleaned with backup
C:\Documents and Settings\Stacey\Desktop\backups\backup-20060115-193050-614.dll -> Trojan.VB.aft : Cleaned with backup
C:\WINDOWS\DH.dll_tobedeleted -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\msbk32.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\SearchB.exe -> Hijacker.VB.jz : Cleaned with backup
C:\WINDOWS\smdgqxlm.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\system32\dtti.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\pwinmsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rldsregj.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rsdsregj.exe -> Spyware.ZenoSearch : Cleaned with backup


::Report End





also when you said to notice any other programs that i didnt recoginize in the add and delete program window in the un-installing programs step i noticed 1634255 and Plaxo Toolbar for Outlook and Outlook Express. Thank you for your great help, the computer seems to be running better but i fear we still have some more work to go.

Bryan

#11 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 January 2006 - 03:24 AM

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.

Right click on this & select 'Save As' - DNSManual.bat
Doubleclick on DNSManual.bat & allow it to run.

SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * *


Start HJT & goto Config > Misc Tools - Open Uninstall Manager
From the box on the left, select 1634255 & hit the "Delete this entry" button located on the right


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Program Files\Common Files\VCClient\
    C:\WINDOWS\linun.exe
    C:\WINDOWS\system32\bsd.exe
    C:\WINDOWS\system32\gss.exe
    C:\WINDOWS\system32\Setup8823.exe
    C:\WINDOWS\system32\smam.exe
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.


Reboot & post a new HJT log. Let me know if you still have other issues.

#12 fearthebuckeye

fearthebuckeye
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 16 January 2006 - 09:11 PM

Here is the new log after the last set of instructions. Am I done or is there still more to do? And what of the programs you had me install can I delete if I am done?
Thanks
Bryan




Logfile of HijackThis v1.99.1
Scan saved at 9:07:23 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1135874663\ee\AOLSoftware.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Stacey\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135874663\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136495080453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPBBCSvc - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#13 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 January 2006 - 11:33 PM

Your log appears clean but do not be overly concerned about removing the tools I had you download. Ewido is a great scanner & it would still be working well after it's trial period has expired. It will only lose it's autoupdate features. CleanUp is something you should run on a frequent basis & Killbox is a tool you should keep handy.

I'm more concerned about the reappearance of Symantec/Norton entries in you log. You may choose to ignore them but they will only create multiple problems in the long run if it's not properly addressed.

I realised now that Symantec has changed it's webpage for it's removal. That's why you failed to remove it in the previous round. I found you a revised webpage where you should be able to use.

http://service1.symantec.com/SUPPORT/tsgen...&Src=#_Section3

Please follow the instructions there & dont be afraid to ask me for help if you get stuck

Let me know how that went.

#14 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 24 January 2006 - 01:23 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users