Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have Trojan Need Help To Remove Please!


  • This topic is locked This topic is locked
6 replies to this topic

#1 WitsEnd

WitsEnd

  • Banned
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 AM

Posted 12 March 2006 - 10:25 AM

Hello,

I have a trojan tha keeps downloading Spy Falcon and/or other nasties, it redirects my homepage and there are two new icons in the application tray by the clock that pops up and says my system is is infected and it will now download iand install the most efficient spyware removal tool.

Adaware finds w32.trojan.downloader but is unable to remove it.

Please help!! Thanks in adavnce!

Steve


Logfile of HijackThis v1.99.1
Scan saved at 9:17:34 AM, on 3/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Steve Harris\Desktop\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp6025.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cgi3.ocis.uncwil.edu/aquarius/AxisCamControl.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:54 AM

Posted 12 March 2006 - 11:45 AM

Hi WitsEnd,

Welcome to BC. :thumbsup:

First of all, you are currently using an unpatched version of Windows XP, thus wide open to infections. It is CRITICAL that you update to Service Pack 1a immediately, so we are not wasting our time.
You can get SP1a here : http://www.microsoft.com/windowsxp/downloa...p1/default.mspx You should also get SP2, but NOT NOW, only after you are sure that your machine is clean.

==============================================

I see Norton Scriptblocking service present.

I want you to disable it as it may interfere with the next fix.

" To open Services, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Services.
" Find ScriptBlocking services, Right-click the service, and then click and then click Properties. On the General tab, under Startup, click Disabled.
" Under Service Status, click Stop button. Click Apply button.
* Disable the Script Blocking In Norton Settings:
" Start Norton Antivirus.
" Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
" Click Script Blocking.
" Uncheck Enable Script Blocking (recommended).
" Click OK
You can reenable it afterwards when everything is clean again.

==============================================

Download smitRem.exe

or HERE
or Here
and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
==============================================

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
==============================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

==============================================


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
==============================================

Restart your computer in Normal Mode and scan with HijackThis again.

Post the contents of smitfiles.txt and the a new HJT log and the spysweeper report .
Let us know if any problems persist.

#3 WitsEnd

WitsEnd
  • Topic Starter

  • Banned
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 AM

Posted 12 March 2006 - 10:49 PM

I appreciate your help. Below are the log files that you requested. I still have an icon in the application tray that says the system is infected and it is going to download the most efficient spyware removal tool etc...

Also, I'm not sure I can upgrade to SP1A, I know I can't do SP2, I've tried. I bought this laptop used with OS already installed and it is appearantly a pirated version. This is not a waste of time though, I only use this laptop to administer my own website and for email, and I'm very careful about surfing the net on this one. I got this spyware from going to a website that I knew I shouldn't have gone to in the first place. From now on this laptop is only for my own website.

Thanks,

Steve


smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 03/12/2006
The current time is: 18:10:09.14

Running from
C:\Documents and Settings\Steve Harris\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"="Prestige Software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\System32\ginuerep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 684 'explorer.exe'
Killing PID 684 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"="Prestige Software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\System32\ginuerep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

********
7:36 PM: | Start of Session, Sunday, March 12, 2006 |
7:36 PM: Spy Sweeper started
7:36 PM: Sweep initiated using definitions version 630
7:36 PM: Starting Memory Sweep
7:40 PM: Memory Sweep Complete, Elapsed Time: 00:04:02
7:40 PM: Starting Registry Sweep
7:40 PM: Found Adware: addestroyer
7:40 PM: HKCR\clsid\{d52433a9-a44c-43ab-a013-24b3c756dd2b}\ (13 subtraces) (ID = 102729)
7:40 PM: HKCR\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 102732)
7:40 PM: HKCR\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 102734)
7:40 PM: HKCR\swlad1.swlad\ (3 subtraces) (ID = 102736)
7:40 PM: HKLM\software\classes\clsid\{d52433a9-a44c-43ab-a013-24b3c756dd2b}\ (13 subtraces) (ID = 102738)
7:40 PM: HKLM\software\classes\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 102741)
7:40 PM: HKLM\software\classes\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 102743)
7:40 PM: HKLM\software\classes\swlad1.swlad\ (3 subtraces) (ID = 102745)
7:40 PM: HKLM\software\classes\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 102747)
7:40 PM: HKCR\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 102751)
7:40 PM: Found Adware: bookedspace
7:40 PM: HKLM\software\configuration manager\cfgmgr52\ (186 subtraces) (ID = 104873)
7:40 PM: Found Adware: delfin
7:40 PM: HKLM\software\microsoft\windows\currentversion\uninstall\displayutility\ (2 subtraces) (ID = 124879)
7:40 PM: HKLM\software\mvu\ (6 subtraces) (ID = 124885)
7:40 PM: HKLM\software\vidctrl\ (3 subtraces) (ID = 124897)
7:41 PM: Found Adware: accona toolbar accoona.com hijack
7:41 PM: HKU\WRSS_Profile_S-1-5-21-725345543-1677128483-1202660629-500\software\microsoft\internet explorer\searchurl\ || @ (ID = 955002)
7:41 PM: HKU\S-1-5-21-725345543-1677128483-1202660629-1003\software\mvu\ (5 subtraces) (ID = 124884)
7:41 PM: Found Adware: rx toolbar
7:41 PM: HKU\S-1-5-21-725345543-1677128483-1202660629-1003\software\rx toolbar\ (1 subtraces) (ID = 140298)
7:41 PM: Registry Sweep Complete, Elapsed Time:00:01:14
7:41 PM: Starting Cookie Sweep
7:42 PM: Found Spy Cookie: aa cookie
7:42 PM: steve harris@aa[2].txt (ID = 2029)
7:42 PM: Found Spy Cookie: go.com cookie
7:42 PM: steve harris@abcnews.go[1].txt (ID = 2729)
7:42 PM: Found Spy Cookie: about cookie
7:42 PM: steve harris@about[1].txt (ID = 2037)
7:42 PM: Found Spy Cookie: yieldmanager cookie
7:42 PM: steve harris@ad.yieldmanager[1].txt (ID = 3751)
7:42 PM: Found Spy Cookie: adknowledge cookie
7:42 PM: steve harris@adknowledge[2].txt (ID = 2072)
7:42 PM: Found Spy Cookie: hbmediapro cookie
7:42 PM: steve harris@adopt.hbmediapro[2].txt (ID = 2768)
7:42 PM: Found Spy Cookie: specificclick.com cookie
7:42 PM: steve harris@adopt.specificclick[2].txt (ID = 3400)
7:42 PM: Found Spy Cookie: nextag cookie
7:42 PM: steve harris@adq.nextag[1].txt (ID = 5015)
7:42 PM: Found Spy Cookie: belointeractive cookie
7:42 PM: steve harris@ads.belointeractive[1].txt (ID = 2295)
7:42 PM: Found Spy Cookie: adultfriendfinder cookie
7:42 PM: steve harris@adultfriendfinder[2].txt (ID = 2165)
7:42 PM: Found Spy Cookie: alt cookie
7:42 PM: steve harris@alt[1].txt (ID = 2217)
7:42 PM: Found Spy Cookie: ask cookie
7:42 PM: steve harris@ask[1].txt (ID = 2245)
7:42 PM: Found Spy Cookie: atwola cookie
7:42 PM: steve harris@atwola[2].txt (ID = 2255)
7:42 PM: Found Spy Cookie: bannerspace cookie
7:42 PM: steve harris@bannerspace[1].txt (ID = 2284)
7:42 PM: Found Spy Cookie: banner cookie
7:42 PM: steve harris@banner[1].txt (ID = 2276)
7:42 PM: Found Spy Cookie: belnk cookie
7:42 PM: steve harris@belnk[1].txt (ID = 2292)
7:42 PM: steve harris@belointeractive[2].txt (ID = 2294)
7:42 PM: Found Spy Cookie: bizrate cookie
7:42 PM: steve harris@bizrate[1].txt (ID = 2308)
7:42 PM: Found Spy Cookie: burstnet cookie
7:42 PM: steve harris@burstnet[2].txt (ID = 2336)
7:42 PM: Found Spy Cookie: gostats cookie
7:42 PM: steve harris@c2.gostats[2].txt (ID = 2748)
7:42 PM: Found Spy Cookie: ccbill cookie
7:42 PM: steve harris@ccbill[1].txt (ID = 2369)
7:42 PM: Found Spy Cookie: 2o7.net cookie
7:42 PM: steve harris@cnn.122.2o7[1].txt (ID = 1958)
7:42 PM: steve harris@collectibles.about[2].txt (ID = 2038)
7:42 PM: Found Spy Cookie: columbiahouse cookie
7:42 PM: steve harris@columbiahouse[1].txt (ID = 2443)
7:42 PM: Found Spy Cookie: overture cookie
7:42 PM: steve harris@content.overture[1].txt (ID = 3106)
7:42 PM: steve harris@crime.about[1].txt (ID = 2038)
7:42 PM: Found Spy Cookie: customer cookie
7:42 PM: steve harris@customer[1].txt (ID = 2481)
7:42 PM: steve harris@customer[2].txt (ID = 2481)
7:42 PM: steve harris@customer[3].txt (ID = 2481)
7:42 PM: steve harris@data1.perf.overture[1].txt (ID = 3106)
7:42 PM: steve harris@data2.perf.overture[1].txt (ID = 3106)
7:42 PM: steve harris@data3.perf.overture[1].txt (ID = 3106)
7:42 PM: Found Spy Cookie: dealtime cookie
7:42 PM: steve harris@dealtime[1].txt (ID = 2505)
7:42 PM: Found Spy Cookie: desktop kazaa cookie
7:42 PM: steve harris@desktop.kazaa[2].txt (ID = 2515)
7:42 PM: steve harris@dist.belnk[2].txt (ID = 2293)
7:42 PM: steve harris@dying.about[1].txt (ID = 2038)
7:42 PM: steve harris@entrepreneur.122.2o7[1].txt (ID = 1958)
7:42 PM: Found Spy Cookie: exitexchange cookie
7:42 PM: steve harris@exitexchange[1].txt (ID = 2633)
7:42 PM: steve harris@familycrafts.about[1].txt (ID = 2038)
7:42 PM: steve harris@geography.about[1].txt (ID = 2038)
7:42 PM: steve harris@golf.about[1].txt (ID = 2038)
7:42 PM: steve harris@go[2].txt (ID = 2728)
7:42 PM: Found Spy Cookie: clickandtrack cookie
7:42 PM: steve harris@hits.clickandtrack[2].txt (ID = 2397)
7:42 PM: Found Spy Cookie: howstuffworks cookie
7:42 PM: steve harris@howstuffworks[2].txt (ID = 2805)
7:42 PM: steve harris@huntsville.about[1].txt (ID = 2038)
7:42 PM: Found Spy Cookie: hypertracker.com cookie
7:42 PM: steve harris@hypertracker[1].txt (ID = 2817)
7:42 PM: Found Spy Cookie: kinghost cookie
7:42 PM: steve harris@kinghost[1].txt (ID = 2903)
7:42 PM: Found Spy Cookie: military cookie
7:42 PM: steve harris@military[2].txt (ID = 2996)
7:42 PM: steve harris@movies.go[1].txt (ID = 2729)
7:42 PM: steve harris@msnportal.112.2o7[1].txt (ID = 1958)
7:42 PM: steve harris@nextag[2].txt (ID = 5014)
7:42 PM: Found Spy Cookie: one-time-offer cookie
7:42 PM: steve harris@one-time-offer[1].txt (ID = 3095)
7:42 PM: steve harris@oneeconomy.122.2o7[2].txt (ID = 1958)
7:42 PM: Found Spy Cookie: outster cookie
7:42 PM: steve harris@outster[2].txt (ID = 3103)
7:42 PM: steve harris@partygaming.122.2o7[1].txt (ID = 1958)
7:42 PM: Found Spy Cookie: partypoker cookie
7:42 PM: steve harris@partypoker[1].txt (ID = 3111)
7:42 PM: steve harris@politicalhumor.about[1].txt (ID = 2038)
7:42 PM: Found Spy Cookie: pricegrabber cookie
7:42 PM: steve harris@pricegrabber[2].txt (ID = 3185)
7:42 PM: Found Spy Cookie: rn11 cookie
7:42 PM: steve harris@rn11[2].txt (ID = 3261)
7:42 PM: Found Spy Cookie: adjuggler cookie
7:42 PM: steve harris@rotator.adjuggler[1].txt (ID = 2071)
7:42 PM: steve harris@rsi.abcnews.go[1].txt (ID = 2729)
7:42 PM: steve harris@sbinfocanada.about[1].txt (ID = 2038)
7:42 PM: steve harris@sbinformation.about[1].txt (ID = 2038)
7:42 PM: steve harris@southernfood.about[2].txt (ID = 2038)
7:42 PM: steve harris@stat.dealtime[2].txt (ID = 2506)
7:42 PM: Found Spy Cookie: clicktracks cookie
7:42 PM: steve harris@stats2.clicktracks[1].txt (ID = 2407)
7:42 PM: Found Spy Cookie: tacoda cookie
7:42 PM: steve harris@tacoda[1].txt (ID = 6444)
7:42 PM: steve harris@terrorism.about[1].txt (ID = 2038)
7:42 PM: Found Spy Cookie: toplist cookie
7:42 PM: steve harris@toplist[1].txt (ID = 3557)
7:42 PM: steve harris@vitacost.122.2o7[1].txt (ID = 1958)
7:42 PM: Found Spy Cookie: burstbeacon cookie
7:42 PM: steve harris@www.burstbeacon[2].txt (ID = 2335)
7:42 PM: steve harris@www.military[1].txt (ID = 2997)
7:42 PM: Found Spy Cookie: myaffiliateprogram.com cookie
7:42 PM: steve harris@www.myaffiliateprogram[1].txt (ID = 3032)
7:42 PM: Found Spy Cookie: seeq cookie
7:42 PM: steve harris@www48.seeq[1].txt (ID = 3332)
7:42 PM: Found Spy Cookie: yadro cookie
7:42 PM: steve harris@yadro[2].txt (ID = 3743)
7:42 PM: Cookie Sweep Complete, Elapsed Time: 00:00:27
7:42 PM: Starting File Sweep
7:42 PM: c:\documents and settings\all users\application data\addestroyer (1 subtraces) (ID = -2147481464)
7:42 PM: c:\windows\system32\nsvsvc (1 subtraces) (ID = -2147481119)
7:42 PM: c:\documents and settings\all users\application data\nsv (16 subtraces) (ID = -2147481136)
7:42 PM: c:\documents and settings\all users\application data\vidctrl (1 subtraces) (ID = -2147477475)
7:42 PM: c:\windows\cfgmgr52 (53 subtraces) (ID = -2147479590)
7:47 PM: wmv2007.dbd (ID = 57693)
8:14 PM: Found Adware: spysheriff
8:14 PM: a0117780.exe (ID = 76698)
8:17 PM: wmv1920.dbd (ID = 57692)
8:21 PM: wmv0204.ddx (ID = 57683)
8:21 PM: wmv0504.ddx (ID = 57683)
8:21 PM: wmv0315.ddx (ID = 57683)
8:21 PM: wmv1204.ddx (ID = 57683)
8:21 PM: wmv0904.ddx (ID = 57684)
8:21 PM: wmv0412.ddx (ID = 57683)
8:21 PM: wmv0106.ddx (ID = 57679)
8:21 PM: wmv1125.ddx (ID = 57685)
8:21 PM: wmv1909.ddx (ID = 57684)
8:21 PM: Found Adware: security toolbar
8:21 PM: a0116659.bat (ID = 202688)
8:21 PM: Found Adware: spyfalcon
8:21 PM: a0116664.lnk (ID = 243376)
8:21 PM: Found Trojan Horse: vesbiz downloader
8:21 PM: thun.dll (ID = 82746)
8:22 PM: File Sweep Complete, Elapsed Time: 00:39:46
8:22 PM: Full Sweep has completed. Elapsed time 00:45:45
8:22 PM: Traces Found: 469
8:45 PM: Removal process initiated
8:45 PM: Quarantining All Traces: addestroyer
8:46 PM: Quarantining All Traces: bookedspace
8:46 PM: Quarantining All Traces: delfin
8:46 PM: Quarantining All Traces: accona toolbar accoona.com hijack
8:46 PM: Quarantining All Traces: rx toolbar
8:46 PM: Quarantining All Traces: aa cookie
8:46 PM: Quarantining All Traces: go.com cookie
8:46 PM: Quarantining All Traces: about cookie
8:47 PM: Quarantining All Traces: yieldmanager cookie
8:47 PM: Quarantining All Traces: adknowledge cookie
8:47 PM: Quarantining All Traces: hbmediapro cookie
8:47 PM: Quarantining All Traces: specificclick.com cookie
8:47 PM: Quarantining All Traces: nextag cookie
8:47 PM: Quarantining All Traces: belointeractive cookie
8:47 PM: Quarantining All Traces: adultfriendfinder cookie
8:47 PM: Quarantining All Traces: alt cookie
8:47 PM: Quarantining All Traces: ask cookie
8:47 PM: Quarantining All Traces: atwola cookie
8:47 PM: Quarantining All Traces: bannerspace cookie
8:47 PM: Quarantining All Traces: banner cookie
8:47 PM: Quarantining All Traces: belnk cookie
8:47 PM: Quarantining All Traces: bizrate cookie
8:47 PM: Quarantining All Traces: burstnet cookie
8:47 PM: Quarantining All Traces: gostats cookie
8:47 PM: Quarantining All Traces: ccbill cookie
8:47 PM: Quarantining All Traces: 2o7.net cookie
8:48 PM: Quarantining All Traces: columbiahouse cookie
8:48 PM: Quarantining All Traces: overture cookie
8:48 PM: Quarantining All Traces: customer cookie
8:48 PM: Quarantining All Traces: dealtime cookie
8:48 PM: Quarantining All Traces: desktop kazaa cookie
8:48 PM: Quarantining All Traces: exitexchange cookie
8:48 PM: Quarantining All Traces: clickandtrack cookie
8:48 PM: Quarantining All Traces: howstuffworks cookie
8:48 PM: Quarantining All Traces: hypertracker.com cookie
8:48 PM: Quarantining All Traces: kinghost cookie
8:48 PM: Quarantining All Traces: military cookie
8:48 PM: Quarantining All Traces: one-time-offer cookie
8:48 PM: Quarantining All Traces: outster cookie
8:48 PM: Quarantining All Traces: partypoker cookie
8:48 PM: Quarantining All Traces: pricegrabber cookie
8:48 PM: Quarantining All Traces: rn11 cookie
8:48 PM: Quarantining All Traces: adjuggler cookie
8:48 PM: Quarantining All Traces: clicktracks cookie
8:48 PM: Quarantining All Traces: tacoda cookie
8:48 PM: Quarantining All Traces: toplist cookie
8:49 PM: Quarantining All Traces: burstbeacon cookie
8:49 PM: Quarantining All Traces: myaffiliateprogram.com cookie
8:49 PM: Quarantining All Traces: seeq cookie
8:49 PM: Quarantining All Traces: yadro cookie
8:49 PM: Quarantining All Traces: spysheriff
8:49 PM: Quarantining All Traces: security toolbar
8:49 PM: Quarantining All Traces: spyfalcon
8:49 PM: Quarantining All Traces: vesbiz downloader
8:49 PM: Removal process completed. Elapsed time 00:03:50
********
7:29 PM: | Start of Session, Sunday, March 12, 2006 |
7:29 PM: Spy Sweeper started
7:29 PM: Sweep initiated using definitions version 630
7:29 PM: Starting Memory Sweep
7:31 PM: Sweep Canceled
7:31 PM: Memory Sweep Complete, Elapsed Time: 00:01:18
7:31 PM: Traces Found: 0
7:35 PM: Program Version 4.5.9 (Build 709) Using Spyware Definitions 630
7:36 PM: | End of Session, Sunday, March 12, 2006 |
********
7:26 PM: | Start of Session, Sunday, March 12, 2006 |
7:26 PM: Spy Sweeper started
7:28 PM: Your spyware definitions have been updated.
7:29 PM: | End of Session, Sunday, March 12, 2006 |

Logfile of HijackThis v1.99.1
Scan saved at 9:05:56 PM, on 3/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Steve Harris\Desktop\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cgi3.ocis.uncwil.edu/aquarius/AxisCamControl.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:54 AM

Posted 13 March 2006 - 09:23 AM

Your log is clean at the moment, but I cannot strees it enough how important it is to update your XP. Without the updates SP1 and SP2, you are wide open to infections. You will get infected.

I cannot see any sign of SpyFalcon in your log. Try the following and see if it helps:

* Download Spyfalconfix from here:
http://www.martijnc.be/tools/sffix.exe
Download it to your desktop.
Doubleclick sffix.exe
Click the 'install' button.
This will create a new folder on your desktop called sffix.
Open that folder and click: Run.bat
Let the tool perform its job.

Restart your computer and

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
- Post Panda scan results along with a new HijackThis log in your next reply and let me know if the icon is gone.

Edited by amateur, 13 March 2006 - 11:33 AM.


#5 WitsEnd

WitsEnd
  • Topic Starter

  • Banned
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 AM

Posted 13 March 2006 - 01:24 PM

I'll try and update the XP, I went to the link for SP1a that you gave me earlier and it downloaded a bunch, (17MB) of updates but it didn't say anything about SP1a, I'm not sure if it installed or not. What I really need is to buy a new laptop but I can't afford it right now so I need to keep this one running a little longer.

Ok, the icon in the application tray went away after the sffix.bat. The Panda scan found 53 spyware and 2 hacking tools. The results are posted below, below that is the new HJT log.

Thanks for your help!

Steve


Incident Status Location

Adware:adware/bigtrafficnet Not disinfected C:\Documents and Settings\Steve Harris\Favorites\1111\1111.url
Spyware:spyware/commonname Not disinfected C:\WINDOWS\SYSTEM32\cnins.txt
Adware:adware/exact.searchbar Not disinfected C:\WINDOWS\SYSTEM32\eXacctSetup3.exe
Adware:adware/keenvalue Not disinfected C:\WINDOWS\BROWSERXTRAS\PN\remove.exe
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32a.sys
Adware:adware/consumeralertsystem Not disinfected C:\PROGRAM FILES\CasStub
Potentially unwanted tool:application/need2find Not disinfected C:\PROGRAM FILES\Need2Find
Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/pacimedia Not disinfected C:\Documents and Settings\Steve Harris\Favorites\1111
Adware:adware/spywareno Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@2o7[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@com[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@entrepreneur[1].txt
Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@errorguard[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@microsofteup.112.2o7[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@searchportal.information[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@target[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@tucows[2].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@www47.buydomains[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.overture.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.tickle.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.kinghost.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.centrport.net/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[.gostats.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Steve Harris\Application Data\Mozilla\Firefox\Profiles\evonk5xj.default\cookies.txt[]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@2o7[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@com[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@entrepreneur[1].txt
Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@errorguard[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@microsofteup.112.2o7[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@searchportal.information[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@target[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@tucows[2].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Steve Harris\Cookies\steve harris@www47.buydomains[1].txt

Logfile of HijackThis v1.99.1
Scan saved at 12:14:29 PM, on 3/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Steve Harris\Desktop\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142268960983
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142268881899
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cgi3.ocis.uncwil.edu/aquarius/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:54 AM

Posted 13 March 2006 - 03:01 PM

Hi WitsEnd,

I can see that Windows update wasn't successful. It didn't install. I see that you've been having problems with this computer since June 2005. Unless you have a fully patched operating system, you'll never be free of problems. I would advise you to backup evertything and be prepared.

Please download the following programs, update them and install them following the instructions. I know that you already had them installed when you had your previous problems, but they are old. Please uninstall them from Add/Remove Programs first and then install the new versions:

Spybot S & D

Remember to "immunize" after updating so that the latest definitions can be enabled.

a. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
b. Close ALL windows except Spybot S&D
c. Click the button to 'Search for Updates' then download and install the Updates.

===============================

Ccleaner

o Double click on the file to start the installation of the program.
o Select your language and click OK, then next.
o Read the license agreement and click I Agree.
o Click next to use the default install location. Click Install then finish to complete installation.

o Double click the CCleaner shortcut on the desktop to start the program.
o On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
o If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
o Click on "Options" at the top of the window, then click on the advanced" button.
deselect "Only delete files in Windows Temp folders older than 48 hours." Click on "OK."
o Click Run Cleaner to run the program.
o Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
o After CCleaner has completed its process, click Exit.

==============================

Adaware SE

Please download the free Ad-Aware SE and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:
  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
Click Proceed. Do not run it yet

===============================

Ewido Security Suit

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful") Do not run it yet.

===============================

Please set your system to show all files; please see here if you're unsure how to do this.

================================

Reboot your computer in Safe Mode using the F8 method below. Let me know if you run into any problems doing that:

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

================================

Using Windows Explorer, navigate to and delete the following files and folders:

C:\WINDOWS\SYSTEM32\cnins.txt
C:\WINDOWS\SYSTEM32\eXacctSetup3.exe
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\smdat32a.sys

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\Documents and Settings\Steve Harris\Favorites\1111
C:\PROGRAM FILES\CasStub
C:\WINDOWS\BROWSERXTRAS\PN
C:\PROGRAM FILES\Need2Find

C:\Documents and Settings\Steve Harris\Cookies <==== don't delete the folder but delete the contents of it.

================================

Run Ccleaner again

================================

Run Ewido Security Suit

Click on the Scanner button in the left menu, then click on Settings, and under "What to scan?", select "Every file" then click ok.
Then click on Complete System Scan. This scan can take quite a while to run.

If during your scan Ewido "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. Click 'OK' and then follow the instructions

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. Do Not reboot yet.

=================================

Run Spybot S & D

Next click the button 'Check for Problems'
When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
Make sure that there is a check mark beside all of the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.

If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.

At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows. Do not reboot yet.

==================================

Run Adaware SE

To start the scan, Click > "Scan Now" at left
  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
4) When the scan has completed, select Next.
  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.
==================================

Reboot in Normal Mode to complete the scan and clear memory.

==================================

Run Panda again.

==================================

Post a new HijackThis log, Panda scan result and the Ewido report

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:54 AM

Posted 26 March 2006 - 09:51 AM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users