Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Life After Mirar Toolbar/qoologic


  • Please log in to reply
20 replies to this topic

#1 R2JJS

R2JJS

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Pa. USA
  • Local time:09:59 AM

Posted 26 March 2006 - 12:55 PM

OK here goes,
I picked up the mirar toolbar with a mistaken click on the "yes" button on the popup. Nasty thing, it is gone now. (I believe)

Next I'm finding Qoollogic.J - I think I've gotton rid of that also.

Here is where I'm at, after removal I still have 2 things showing in virus scan (Panda) and in Internet Explorer I recieve the "cannot find server" error" Ithink something is still blocking IE from working properly.

Panda shows Adware: PurityScan
CWS.Aboutblank

Thanks for any help you guy's can offer - HJ log below

Logfile of HijackThis v1.99.1
Scan saved at 11:17:43 AM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\FIREWALL\PNMSRV.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\SRVLOAD.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe
C:\Documents and Settings\Ronald Jellison\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.29.16.127/bar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armstrongmywire.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armstrongmywire.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=CookieCop:8100
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fxlvhni.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Yvakt Class - {98B9F201-C701-41F1-B338-7E5E0E6D768F} - C:\WINDOWS\system32\ejrwx8drl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE Initial
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [gjZC2XV] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [dkrfwg] C:\WINDOWS\system32\esnnwi.exe reg_run
O4 - HKCU\..\Run: [ahyhx] C:\WINDOWS\system32\esnnwi.exe reg_run
O4 - HKCU\..\Run: [Eweu] "C:\Program Files\eect\rcbo.exe" -vt yazb
O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud9.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud9.sports.yahoo.com/java/y/nflst8231_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2513AB48-1AEF-4E55-8329-927FF97C9DCE} (ExpressView Class) - http://www.pgc.state.pa.us/pgc/game/maps/exview_setup.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094398220932
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137726287859
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...635/mcfscan.cab
O18 - Filter: text/html - {0FA7FD6B-47C3-425B-AE30-36383F1C4503} - C:\WINDOWS\system32\ejrwx8drl.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - PANDA SOFTWARE - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\FIREWALL\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:59 PM

Posted 30 March 2006 - 12:38 PM

Hi R2JJS!

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

I see that you have Ewido installed on your computer.
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.29.16.127/bar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fxlvhni.exe
O2 - BHO: Yvakt Class - {98B9F201-C701-41F1-B338-7E5E0E6D768F} - C:\WINDOWS\system32\ejrwx8drl.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [gjZC2XV] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [dkrfwg] C:\WINDOWS\system32\esnnwi.exe reg_run
O4 - HKCU\..\Run: [ahyhx] C:\WINDOWS\system32\esnnwi.exe reg_run
O4 - HKCU\..\Run: [Eweu] "C:\Program Files\eect\rcbo.exe" -vt yazb
O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - {0FA7FD6B-47C3-425B-AE30-36383F1C4503} - C:\WINDOWS\system32\ejrwx8drl.dll


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\fxlvhni.exe <--file
C:\WINDOWS\system32\ejrwx8drl.dll <--file
C:\WINDOWS\system32\slk8x2peu.exe <--file
C:\WINDOWS\system32\esnnwi.exe <--file
C:\WINDOWS\ZIFI002.exe <--file
C:\Program Files\eect <--folder

* Open Ewido anti-malware
Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

Please reboot back into normal mode and post back with a new Hijackthis log and the Ewido log. Once we have cleared your malware we can try and deal with the other problems you are facing.
David

#3 R2JJS

R2JJS
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Pa. USA
  • Local time:09:59 AM

Posted 31 March 2006 - 11:35 AM

Thank You David for your help, I think I've cleaned out the bad crap. The ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:11:57 PM, 3/30/2006
+ Report-Checksum: ACDD8980

+ Scan result:

No infected objects found.


::Report End

The Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:20:30 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\FIREWALL\PNMSRV.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe

It was after running ewido the first time that I lost the ability to connect to the internet or connect to my home network. I guess that was kind of a blessing, it prevented this crap from re-downloading!!

(That was also my prompt to look for help!!!!)

So here we are, I think we are OK to proceed.

Again Thank you for help.

Ron

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:59 PM

Posted 01 April 2006 - 03:20 AM

Hi R2JJS

Let me just confirm something with you, you lost the internet connection after running Ewido for the first time, before me giving you instructions? Also, can you tell me whether you have the internet connection back or not, as i cannot tell.

The ewido log has returned a clean log so that's good news. However, you did not post a full Hijackthis log, only the very top bit. So please run a new scan and post the whole log.

David

Edited by D-Trojanator, 01 April 2006 - 03:20 AM.


#5 R2JJS

R2JJS
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Pa. USA
  • Local time:09:59 AM

Posted 01 April 2006 - 12:11 PM

HI David,

Bad cut and paste on the hjt log I have reposted below.

This has been frustrating, I don't think I've ever had a problem with computers I have not been able to fix on my own. With that as the case, My Bad on the ewido, I ran that prior to posting my original post. In most replys to problems I saw that as a common tool to remove maleware. Iwill post the original ewido log also.

Let me give a better time line of events

Infection - mirar

Tried the remove mirar with the tools on the mirar site (of course the are sorry to see me go- the bastards)

Ran all anti virus and adware programs that I had at the time, Still plauged with popups galore.
Norton antivirus, Adaware, Spybot and Noadware

In looking for solutions ran across this site and did all the instructions in the "before you post Hjt logs guide"

I saw ewido was a common sugestion for a lot of repairs Downloaded an ran in safe mode(I still thought I could solve this without adding to your load on the board)

After running ewido I lost the ability to connect to the internet, I remain in that condition.

posted my problem and have not made any changes with out your advise...

Logs as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:20:30 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\FIREWALL\PNMSRV.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\SRVLOAD.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armstrongmywire.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armstrongmywire.com/index.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE Initial
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\Inicio.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud9.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud9.sports.yahoo.com/java/y/nflst8231_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2513AB48-1AEF-4E55-8329-927FF97C9DCE} (ExpressView Class) - http://www.pgc.state.pa.us/pgc/game/maps/exview_setup.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094398220932
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137726287859
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...635/mcfscan.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - PANDA SOFTWARE - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\FIREWALL\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


First Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:42:03 PM, 3/25/2006
+ Report-Checksum: 5718FA5C

+ Scan result:

HKU\S-1-5-21-746137067-1060284298-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-746137067-1060284298-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{55BE9F0D-6CAF-4C3E-B125-5A13A8C9D0EC} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-746137067-1060284298-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@-1shz2prbmdj6wvny-1sez2pra2dj6wjk4oiczmgpq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@-1shz2prbmdj6wvny-1sez2pra2dj6wjl4knc5agpw-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@-1shz2prbmdj6wvny-1sez2pra2dj6wjlookc5gdow-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@-1shz2prbmdj6wvny-1sez2pra2dj6wjlyaod5kkpq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1kdzilpgidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@1shz2prbmdj6wvny-1sez2pra2dj6wjny-1pcjkdpg-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@a.tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@ads.link4ads[2].txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@download.com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@e-2dj6wjliqpajohq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@e-2dj6wjny-1gc5wc.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@grouplotto.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@www.click2begin[2].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@www5.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@www6.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkislcjweogudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkispdjcdogydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiuhdzmdqa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiuod5olpgydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkoqlcjkdoqydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkychd5clowwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkygjczmbogmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyoic5wfqaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4ejczccpwqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4gkcpokpaudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoancpweqaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkouodjocowwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkownajkapa6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkowocjcapaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkowocpwepgsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkowpczceoa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkykndjwboqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkysjd5wbqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4umcjwbpq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4wjd5ehpg2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4wjd5mcoaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliepdpafpawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlikkcjefpgidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliqmdpccqqsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlisjcpoepawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyalajcepwwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyanczkcqq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlycgcjadoqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlycjdpecpaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyonczwapgqdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyunczshpqydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmikoazkgoasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiujcjsgoqmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmyqlc5igpqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmywmc5mapq6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyagdzkdowudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyoldjehowmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\C0D45.tmp/ny8jr.exe -> Trojan.Runner.h : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@-1shz2prbmdj6wvny-1sez2pra2dj6wjk4oiczmgpq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1sczwdpqudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@grouplotto.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4gkcpokpaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkownajkapa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyakd5wlpw6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4glc5geogudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4sic5caog6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4sic5kgpwidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4wjd5ehpg2dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyunajgcowqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@server3.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Program Files\NoAdware4\noadwareutils.dll -> Adware.WebRebates : Cleaned with backup
C:\WINDOWS\JUSTIN2.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\ny8jr.exe -> Trojan.Runner.h : Cleaned with backup


::Report End

Original Panda activescan report:

Incident Status Location

Adware:Adware/PurityScan Not disinfected C:\PROGRAM FILES\EECT\RCBO.EXE
Adware:Adware/PurityScan Not disinfected C:\Program Files\eect\rcbo.exe
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\kannnqt.dll
Adware:Adware/SideStep Not disinfected C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\data.~
Adware:adware/sidestep Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe01f.inf
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Ronald Jellison\Application Data\Lycos
Adware:adware/powerscan Not disinfected Windows Registry
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@kount[1].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@outster[1].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@pop.mircx[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@target[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@webpower[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@webpower[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@webpower[4].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@kount[1].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@outster[1].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@pop.mircx[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@target[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@webpower[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@webpower[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Ronald Jellison\Cookies\ronald jellison@webpower[4].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@abetterinternet[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@com[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@go[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@offeroptimizer[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@rightmedia[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@www.burstbeacon[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\Cookies\ronald jellison@www.myaffiliateprogram[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@belnk[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@burstnet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@dist.belnk[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@gostats[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@rn11[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@stats1.reliablestats[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@www.burstbeacon[3].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@www.myaffiliateprogram[3].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@www.web-stat[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Ronald Jellison\Local Settings\Temp\NoadwareBkupTemp\ronald jellison@yadro[3].txt
Adware:Adware/PurityScan Not disinfected C:\Program Files\eect\rcbo.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\?ppPatch\r?ndll.exe
Spyware:Spyware/BetterInet Not disinfected C:\RECYCLER\NPROTECT\00050649.inf
Adware:Adware/Qoologic Not disinfected C:\RECYCLER\NPROTECT\00050831.dat
Adware:Adware/SideStep Not disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
Adware:Adware/SideStep Not disinfected C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
Adware:Adware/WurldMedia Not disinfected C:\WINDOWS\SYSTEM32\MSCStat2.exe
Virus:Trj/Agent.BPC Not disinfected C:\WINDOWS\SYSTEM32\pwinorag.exe
Sorry David, I did not mean to misinform by omission.

Thank You
Ron

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:59 PM

Posted 01 April 2006 - 02:43 PM

Hi R2JJS!

I have a plan. You had a qoologic infection and it just disappeared, which i suppose is a good sign. If this had happened a month ago I would have said Ewido killed the infection. However Qoologic has changed a bit and the infection is structured a little different and Ewido no longer kills it all. You do have quite a few bad things in that panda log, inlcuding some leftover Qoologic Files.

I want you to do 2 things. Firstly i want you to do another Panda scan. This will give me an updated list of the malware on your computer - I don't want you going around trying to delete a file that's no actually there. The second thing I want you to do is to run another scanner called BlackLight. Conventional scanners such as Ewido and Panda scannot find super hidden files, and Qoologic has a nasty habit of hiding some files. Also Blacklight will show any rootkits that may be hiding on your computer.

Please download and Save blacklight to your C:\ Important!!.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Then go to start > run and copy and paste next command in the field:

C:\blbeta.exe /expert

This should open your blacklight.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

So please post back with:
1) A new Panda Log
2) BlackLight Log
3) Hijackthis log (new one)

Good luck and i'm behind you all the way,
David

#7 R2JJS

R2JJS
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Pa. USA
  • Local time:09:59 AM

Posted 02 April 2006 - 01:20 PM

Hi D-Trojanator,

David here goes, Panda active scan, can't run unable to acess the internet. I have Panda Titainam installed and am getting a clean bill of healh with that.

I've reviewed the order of events after thinking a bit, while following the pre-posting guidelines I was impressed with the number of bad stuff Panda's active scan found. So after running all the online scans Housecall, Panda and Bit defender Plus Mcafee stinger, I switched antivirus programs on this computer. I removed Norton 2004 and installed Panda Titainum.

I then proced to remove all threats that Panda Titainum found - I still had internet access at this point.

It was after having the same threats reoccuring in panda that I ran ewido the first time (in safe mode)- This is when I lost internet access.

Let me cover internet access better. I connect across a LAN. After checking a little better I find that this may be into a networking problem because I can not access or see any of the other computers in the network. Is it possible that in removing this adware I've lost a File critical to networking?

OK here is the rest, I found 2 Blacklight logs, posting both. and my newest Hjt log:

What a nut! I just realised when I ran blacklight the first time, it started checking a drive (F) that I was pulling data from for a freind. I stoped blacklight, unpluged the drive, ran again. Bingo 2 logs

04/02/06 12:31:26 [Info]: BlackLight Engine 1.0.33 initialized
04/02/06 12:31:26 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/02/06 12:31:26 [Note]: 7019 4
04/02/06 12:31:26 [Note]: 7005 0
04/02/06 12:31:37 [Note]: 7006 0
04/02/06 12:31:37 [Note]: 7022 0
04/02/06 12:31:37 [Note]: 7011 1516
04/02/06 12:31:37 [Note]: FSRAW library version 1.7.1015
04/02/06 12:32:20 [Error]: 6019 0
04/02/06 12:32:55 [Note]: 7007 0

04/02/06 12:33:05 [Info]: BlackLight Engine 1.0.33 initialized
04/02/06 12:33:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/02/06 12:33:05 [Note]: 7019 4
04/02/06 12:33:05 [Note]: 7005 0
04/02/06 12:33:11 [Note]: 7006 0
04/02/06 12:33:11 [Note]: 7022 0
04/02/06 12:33:11 [Note]: 7011 1516
04/02/06 12:33:11 [Note]: FSRAW library version 1.7.1015
04/02/06 13:14:08 [Note]: 7007 0

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:18:15 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\FIREWALL\PNMSRV.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\SRVLOAD.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armstrongmywire.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armstrongmywire.com/index.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE Initial
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\Inicio.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud9.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud9.sports.yahoo.com/java/y/nflst8231_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2513AB48-1AEF-4E55-8329-927FF97C9DCE} (ExpressView Class) - http://www.pgc.state.pa.us/pgc/game/maps/exview_setup.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094398220932
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137726287859
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...635/mcfscan.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - PANDA SOFTWARE - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\FIREWALL\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Thank You for looking at this with Me

Ron

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:59 PM

Posted 02 April 2006 - 02:40 PM

Hey Ron :thumbsup:

I understand now! There are a number of things we could do to try and get your internet explorer connection back, but before doing so I think it would be a good idea to remove the malware files from the Panda log as that may well return the connection. If, after removing the file, the connection in IE is still gone we can try some free tools!

The BlackLight log is looking very good, it shows that Qoologic did not hide any files along the way. However I want to run a batch file that will unearth some leftover entries from the dead Qoologic infection. We can do that at the end. In answer to your question, it is very possible that deleting a malware file killed your IE connection, infections such as New.Net can do that unfortunatley.

Please set your system to show all files; please see here if you're unsure how to do this.

I think that it's wise to delete the following files in safe mode, so boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Now search and delete:

C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe01f.inf
C:\WINDOWS\Downloaded Program Files\SbCIe026.dll

Go to start > run and type regsvr32 occache.dll

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\eect <--folder
C:\WINDOWS\system32\kannnqt.dll <--file
C:\WINDOWS\SYSTEM32\data.~ <--file
C:\Documents and Settings\Ronald Jellison\Local Settings\Temporary Internet Files\Ssk.log <--file
C:\WINDOWS\SYSTEM32\MSCStat2.exe <--file
C:\WINDOWS\SYSTEM32\pwinorag.exe <--file

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please now boot back to normal mode.

* Open notepad and copy and paste next in it:

dir C:\WINDOWS\system32\t?skmgr.exe /a h > files.txt
notepad files.txt

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and copy the contents of the text file that opens back here.

* Download FindQool.zip save it to your C:\.
http://downloads.subratam.org/Lon/FindQool.zip

Extract (unzip) the files inside into their own folder called FindQool.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html

This folder should be present on your C:\
In case it's not present there, move the FindQool folder to C:\ otherwise it won't work.
Then open the FindQool folder.
Locate and double-click the Qlocate.bat file to run it.

This will scan your system.
Wait until a text opens.
Post this in your next reply

* So please post back with a new HJT log, the Qlocate log and the look.bat results. Also please let me know what you are using to access this forum, eg Firefox etc....

David

#9 R2JJS

R2JJS
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Pa. USA
  • Local time:09:59 AM

Posted 02 April 2006 - 04:38 PM

Hi David.

Check off the list of items you just posted. I went through one by one and took the liberty of doing a search on all of the files I was supposed to remove in addition to looking at the places you indicated. This lead me to find Spybot had removed the SbCIe files, but still had them in a recovery area. I removed them from there also.

Most of the other files had already been Removed.

Look.bat, Qlocate.bat and Hijackthis logs as follows:

Look
Volume in drive C has no label.
Volume Serial Number is 9026-57FB

Directory of C:\WINDOWS\system32

08/04/2004 03:56 AM 135,680 taskmgr.exe
1 File(s) 135,680 bytes

Directory of C:\


Qlocate
Sun 04/02/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ScanMenu]
@="{48f45200-91e6-11ce-8a4f-0080c81a28d4}"

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman 2005
Findqool edited 3/26/2006


HJT
Logfile of HijackThis v1.99.1
Scan saved at 5:10:48 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\FIREWALL\PNMSRV.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\SRVLOAD.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armstrongmywire.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armstrongmywire.com/index.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE Initial
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\Inicio.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud9.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud9.sports.yahoo.com/java/y/nflst8231_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2513AB48-1AEF-4E55-8329-927FF97C9DCE} (ExpressView Class) - http://www.pgc.state.pa.us/pgc/game/maps/exview_setup.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094398220932
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137726287859
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...635/mcfscan.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - PANDA SOFTWARE - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\FIREWALL\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Thank You
Ron

#10 R2JJS

R2JJS
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Pa. USA
  • Local time:09:59 AM

Posted 02 April 2006 - 05:10 PM

Hi David: I forgot you did ask how I was posting, I have two computers on my home network and am transferring data via CD. The second computer is running IE6 and XP Pro.
Thanks
Ron

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:59 PM

Posted 03 April 2006 - 02:40 AM

Hello!

This is where it gets slightly compicated, but don't worry i'll try and make it as simple as possible. I'm going to refer to the computer thats internet is not working as "broken" so don't take offence! :thumbsup:

From the networked computer when the internet works please download Winsock XP Fix. You need to transfer this to the broken computer using CD or whatever.

Transfer the program to the "broken" desktop. Close every other program, then open winsockxpfix and click reg backup. Save the reg backup somewhere. After that is done, click the fix button of winsockxpfix. Then reboot and let me know what happens. Also I need to see a new Panda scan.

David

#12 R2JJS

R2JJS
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Pa. USA
  • Local time:09:59 AM

Posted 03 April 2006 - 08:16 PM

Hi David,

Had to wait till after work, downloaded and ran Winsock XP Fix on the "broken" computer. Hee Hee no offense taken :thumbsup: It's still broke... unable to see computers on the network or connect to the internet.
(so I can't run Panda active scan) I've run Panda Tiatanum again it comes up clean, 0 infections. I looked at the log for Panda Titanum and it looks huge. It has logged everything from first startup, Post that?

Thanks

Ron

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:59 PM

Posted 04 April 2006 - 06:22 AM

Hello R2JJS!

I am going to have to research your log for a while and find a fix. I'm going to ask a few experts their opinions also, so it may be a day or so before you get a reply. Don't worry, I won't forget you!

David

#14 R2JJS

R2JJS
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Pa. USA
  • Local time:09:59 AM

Posted 04 April 2006 - 10:26 AM

Hi D-Trojanator,


Understood

A thought crossed my mind, I did a back up my registry prior to making many changes (I'll have to check when I'm home from work). Possible to fix by going back to the saved registry and then working our way back up?

Ron

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:59 PM

Posted 05 April 2006 - 02:29 AM

Hello there Ron,

Leave the registry backup for now - if you did that you'd bring back all the rubbish we just removed!

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) -


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Please enter your Control Panel
Click on the Java tab > General tab
Temporary Internet Files > Delete Files
Checkmark all 3 options and click OK.

* Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following:

Every out of date Java version. The most current is jre1.5.0_06, so uninstall anything earlier than that, ie 1.4.1_05.

* Have you looked at the security and network settings in Panda? Did you change anything in there, as that may have caused you to loose the connection.

Let me know,
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users