Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 gbc

gbc

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:portugal
  • Local time:04:15 AM

Posted 18 March 2006 - 03:49 PM

Hi

I've got a problem with my mothers mobile computer, and I've tried everything i know and still couldn't solve it. The thing is that some time ago, it doesn´t turn off when it's supposed to. The only way to turn it off is by ending session and deactivate it. Also, when you turn it on, you often get a message about a process that failed when trying to run in dos mode or something like that.
I'm sending you an hijackthis log, so if you could have a look at it it would be great.

thanks,

GBC




Logfile of HijackThis v1.99.1
Scan saved at 20:29:09, on 18-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programas\TOSHIBA\Power Management\CePMTray.exe
C:\Programas\EzButton\CPLDBL10.EXE
C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
C:\Programas\TOSHIBA\TouchPad\TPTray.exe
C:\Programas\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Programas\QuickTime\qttask.exe
C:\WINDOWS\system32\msbcs.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Olympus\DeviceDetector\DevDtct2.exe
C:\Programas\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\Programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Programas\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Programas\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Programas\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [cmrss] C:\WINDOWS\system32\cmrss.exe
O4 - HKLM\..\Run: [taskmgr] C:\WINDOWS\system32\msbcs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Programas\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter Utility.lnk = C:\Programas\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 20 March 2006 - 07:12 AM

Hello GBC and welcome to the forum. You have several nasty trojans, I am not sure they are what is causing the shutdown issues, but let's remove them and see what happens. Please follow the directions in the posted order.
Some items later in the fix may be gone from earlier programs, not to be concerned, just do not miss any.

1) Download and update CWShredder from here: http://www.softpedia.com/get/Internet/Popu...WShredder.shtml then click on FIX not scan. Aloow the program to remove anything it locates. Post the scan results for me to view.

2) ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
O4 - HKLM\..\Run: [cmrss] C:\WINDOWS\system32\cmrss.exe
O4 - HKLM\..\Run: [taskmgr] C:\WINDOWS\system32\msbcs.exe
O4 - Startup: PowerReg Scheduler.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\cmrss.exe >>> file (watch the spelling)

C:\WINDOWS\system32\msbcs.exe >>> file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

5) If you don't have a good cleaner, use this free one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, the CWS results, a new HJT log and your comments. Tell me how the computer is running.

Thanks...pskelley
BleepingComputer

Edited by pskelley, 20 March 2006 - 07:15 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 28 March 2006 - 06:55 AM

There has been no response to this topic in over a week :thumbsup:
This topic is closed

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 22 April 2006 - 05:28 PM

This topic has been reopened at the members request :thumbsup:

Posted for the member from PM.
Hi pskelley

I guess I must apollogise for not responding to your reply. I'm sorry, but it is my mom's computer and I was away so, it was only today that i've had time to pick it up. Anyway, the computer is much better and it also turns off ok so I guess the problem whatever it was is solved.
I´m sending you the logs you've requested, if you could take a look.


Logfile of HijackThis v1.99.1
Scan saved at 18:29:48, on 22-04-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programas\TOSHIBA\Power Management\CePMTray.exe
C:\Programas\EzButton\CPLDBL10.EXE
C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
C:\Programas\TOSHIBA\TouchPad\TPTray.exe
C:\Programas\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\ewido anti-malware\ewidoguard.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Olympus\DeviceDetector\DevDtct2.exe
C:\Programas\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\Programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Programas\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Programas\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Programas\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter Utility.lnk = C:\Programas\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programas\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 22 April 2006 - 06:07 PM

Your HJT log looks good, so here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

These two lines from the ewido scan need to be fixed:
C:\Documents and Settings\Chip7\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-264fe9e-1cbff317.zip/MainApp.class -> Trojan.ClassLoader.f : Erro durante a limpeza

The first one, follow these instructions to make sure your verion of Java is up to date, and to clean out the cache.
Updating Java and Clearing Cache
Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
http://www.java.com/en/download/manual.jsp

After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
Downloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

I can't comprehend this one, or translate with my tool? You must find the bad and delete it. I will make it rojo.
C:\Documents and Settings\Chip7\Os meus documentos\Os meus ficheiros recebidos\20040901_1243 (D).zip/20040901_1243 (D)/crack.zip/start.exe -> Logger.Briss.j : Erro durante a limpeza

Finish these instructions I have posted and if all is well, you are good to go.

Gracias

Edited by pskelley, 22 April 2006 - 06:07 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#6 gbc

gbc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:portugal
  • Local time:04:15 AM

Posted 26 April 2006 - 03:46 PM

Hi

First of all thanks for reopening the topic. I will perform this operations soon, and then I will tell you how they went.

Thanks

GBC

#7 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 04 May 2006 - 03:15 PM

Ten days with no response from this member, this topic is closed. :thumbsup:

pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users