Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Guardservices, Blank & Troj.se77291


  • This topic is locked This topic is locked
7 replies to this topic

#1 davieg

davieg

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 27 April 2006 - 03:31 PM

Hi,

As you can see i'm having problems, I recently remove Norton as it was causing me so many problems one of which was the inability to run Firefox, based on the recommendations of Castle Cops I've installed Zone Alarm, AVG, a2 amongst many other tools. I've followed your advice in the preparation guide but I'm still left with guardservices / blank as my IE start page and when I run the housecall antivirus I'm always left with troj.se77291.

I've tried running aboutbuster but that hasn't cleared IE and the last time I ran Panda anti-virus there were 20 infections, have gone through the preparation again I cannot now load Panda without an error and no means of starting a scan.

I hope you can help as I've been struggling with this for 3 days now.

Thanks in advance

davieG

Logfile of HijackThis v1.99.1
Scan saved at 21:14:21, on 27/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\a2\a2guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\John\Local Settings\Temp\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} -

C:\WINDOWS\system32\hp81D2.tmp
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program

Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program

Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program

Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WinMem] C:\Program

Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search

& Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program

Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Search -

http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft

SmartIssue) -

https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script

Runner Class) -

https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia

Authorware Web Player Control) - file://c:\program files\internet

explorer\plugins\awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -

https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE

Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdat...s/en/x86/client

/muweb_site.cab?1146168313453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8570C26-6548-4860-B60E-1501E38A1023} (CompInfo.Server) -

http://www.pcservicecall.co.uk/RemoteSupport/CompInfo.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI

Registry Information Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload

Component) - http://f007.mail.lycos.co.uk/app/uploader/FileUploader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo

Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} -

http://66.117.37.13/dba2218.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager

(brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service

(file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother

Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Freeloader Subscription Service - Unknown owner -

C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader

Subscription Service File.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:28 AM

Posted 28 April 2006 - 07:32 AM

Hello davie,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Please disable Spybot's Teatimer, since it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If Teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
(How to disable TeaTimer during HijackThis Cleanup)
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Also, please unzip HijackThis.exe to a permanent file (eg. C:\HijackThis) or your Desktop,
so backups can be made.

1. Download roguescanfix.exe to your desktop.
Doubleclick roguescanfix.exe to install.
This will create a new folder on your desktop called roguescanfix.
Do not use this yet!

2. Run HijackThis and check the following entries:O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe
Close all open windows EXCEPT HIJACKTHIS and click Fix Checked. Close HijackThis.

3. Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
4. Open the roguescanfix folder and click: Run.bat
This tool needs internet connection so it can download an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
Let the tool perform its job.
The icons will disappear temporarely from your desktop, and reappear. This is normal.
Wait until the message Completed script execution is displayed, and click OK.
Click Exit to close down bfu.
Finally: click OK to start the Spyfalcon and/or Spywarequake uninstaller, and click uninstall.
WARNING: You will be asked to reboot your computer. Wait until the uninstallers did their job before clicking YES.

5. Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

6. Post the contents of the Panda scan report in your next reply along with a new HijackThis Log,
by using Add Reply.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 davieg

davieg
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 28 April 2006 - 08:42 AM

Hi BMThor

I've not been too successful, could be me, could be my PC.

I've carried out everything you advised, (although I'm not sure I disabled Teatimer properly in that I had no System Start up warning - I did revisit Spybot and the Resident Teatimer box was still unticked) but came unstuck when I got to Action 4, as in:

"Finally: click OK to start the Spyfalcon and/or Spywarequake uninstaller, and click uninstall.
WARNING: You will be asked to reboot your computer. Wait until the uninstallers did their job before clicking YES."


I did not understand what these were.

I also found I couldn't run Panda Online - IE still comes up with blank and when I clicked on Scan, nothing happened.

I'm not sure how relevant it is but here's my latest Hijackthis report:

Logfile of HijackThis v1.99.1
Scan saved at 14:37:27, on 28/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\John\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://c:\program files\internet explorer\plugins\awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146168313453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8570C26-6548-4860-B60E-1501E38A1023} (CompInfo.Server) - http://www.pcservicecall.co.uk/RemoteSupport/CompInfo.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.co.uk/app/uploader/FileUploader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Freeloader Subscription Service - Unknown owner - C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader Subscription Service File.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks for your help so far and I apologise if I'm being a bit 'slow' :thumbsup:

davieG

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:28 AM

Posted 28 April 2006 - 12:41 PM

Hello davie,

Please don't apologise, it looks like you did just fine. :thumbsup:

Spybot's TeaTimer is no longer running, so that's OK,
and you killed the infection, so that's even better.

Finally: click OK to start the Spyfalcon and/or Spywarequake uninstaller, and click uninstall.
WARNING: You will be asked to reboot your computer. Wait until the uninstallers did their job before clicking YES.

This just means, IF an uninstaller is found by the tool, it will ask you to start it.
So if there is no longer an uninstaller present, it doesn't ask anything.

I also found I couldn't run Panda Online - IE still comes up with blank and when I clicked on Scan, nothing happened

This might mean your Internet Explorer settings are set somewhat to strict,
you could return them to Standard settings (through Control Panel > Internetoptions),
or, and then that's my mistake, you tried running it in your Firefox browser, which doesn't support the ActiveX controller. It has to be run from Internet Explorer.
If that does not work :
This a is good online scanner as well : http://www.kaspersky.com/kos/english/kavwebscan.html
and so is this one : http://www.bitdefender.com/scan8/ie.html
They are meant as a checkup for leftovers, so pick one you like, just try to get me a result log. :flowers:

Finally, run HijackThis again and check the following entry:O2 - BHO: (no name) - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - (no file)
Close all open windows EXCEPT HijackThis and click Fix Checked. Close HijackThis.

How are things running now?
Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 davieg

davieg
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 28 April 2006 - 04:02 PM

Hi BMThor

On the face of it not too many obvious problems, although the reports seem to tell a different story. Ref Panda I was using IE but it just wont start the scan, even with the other two programmes i had to copy the properties into another IE window. I've checked my IE security level and its says it set as normal. Any further advice on this would be most welcome.

davieG

Bitfinder Report:

BitDefender Online Scanner
Scan report generated at: Fri, Apr 28, 2006 - 21:13:14

Scan path: A:\;C:\;D:\;E:\;G:\;H:\;I:\;J:\;K:\;

Statistics
Time 01:15:05
Files 357438
Folders 5999
Boot Sectors 2
Archives 7901
Packed Files 30032

Results
Identified Viruses 3
Infected Files 6
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 7

Engines Info
Virus Definitions 372526
Engine build AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins 13
Archive plugins 39
Unpack plugins 4
E-mail plugins 6
System plugins 1

Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes

Scanned File Status
C:\Documents and Settings\John\.housecall\Quarantine\A0224137.exe.bac_a02896=>(Quarantine-4) Infected with: Trojan.Downloader.Zlob.IP
C:\Documents and Settings\John\.housecall\Quarantine\A0224137.exe.bac_a02896=>(Quarantine-4) Disinfection failed
C:\Documents and Settings\John\.housecall\Quarantine\A0224137.exe.bac_a02896=>(Quarantine-4) Deleted
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000006.tlb Infected with: Trojan.Downloader.Zlob.IJ
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000006.tlb Disinfection failed
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000006.tlb Deleted
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000089.tlb Infected with: Trojan.Downloader.Zlob.IJ
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000089.tlb Disinfection failed
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000089.tlb Deleted
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000108.tlb Infected with: Trojan.Downloader.Zlob.IJ
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000108.tlb Disinfection failed
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000108.tlb Deleted
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000122.tlb Infected with: Trojan.Downloader.Zlob.IJ
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000122.tlb Disinfection failed
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000122.tlb Deleted
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000170.exe Infected with: Trojan.Downloader.Zlob.IO
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000170.exe Disinfection failed
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000170.exe Deleted

Kaspersky report:

KASPERSKY ON-LINE SCANNER REPORT
Friday, April 28, 2006 9:49:40 PMOperating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)Kaspersky On-line Scanner version: 5.0.78.0Kaspersky Anti-Virus database last update: 28/04/2006Kaspersky Anti-Virus database records: 178969

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\C:\D:\E:\G:\H:\I:\J:\K:\

Scan Statistics
Total number of scanned objects 66134
Number of viruses found 3
Number of infected objects 6
Number of suspicious objects 4
Duration of the scan process 01:03:28

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy4.zip/msexreg.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy4.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy7.zip/trkgif.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy7.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\John\.housecall\Quarantine\A0224137.exe.bac_a02896 Infected: Trojan-Downloader.Win32.Zlob.mk skipped

C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000006.tlb Infected: Trojan-Downloader.Win32.Zlob.mo skipped

C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000089.tlb Infected: Trojan-Downloader.Win32.Zlob.mo skipped

C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000108.tlb Infected: Trojan-Downloader.Win32.Zlob.mo skipped

C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000122.tlb Infected: Trojan-Downloader.Win32.Zlob.mo skipped

C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\A0000170.exe Infected: Trojan-Downloader.Win32.Zlob.mo skipped

Scan process completed.

Hijackthis Report:

Logfile of HijackThis v1.99.1
Scan saved at 21:55:06, on 28/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\John\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program

Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program

Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program

Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WinMem] C:\Program

Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program

Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Search -

http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft

SmartIssue) -

https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script

Runner Class) -

https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)

- http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia

Authorware Web Player Control) - file://c:\program files\internet

explorer\plugins\awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -

https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE

Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdat...s/en/x86/client

/muweb_site.cab?1146168313453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8570C26-6548-4860-B60E-1501E38A1023} (CompInfo.Server) -

http://www.pcservicecall.co.uk/RemoteSupport/CompInfo.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI

Registry Information Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload

Component) - http://f007.mail.lycos.co.uk/app/uploader/FileUploader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo

Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager

(brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service

(file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother

Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Freeloader Subscription Service - Unknown owner -

C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader

Subscription Service File.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:28 AM

Posted 28 April 2006 - 04:51 PM

Hello davie,

Your log looks clean again. :thumbsup:

On the face of it not too many obvious problems, although the reports seem to tell a different story.

No they don't. It will take a 3-step cleanup :

1. Empty the Quarantine folder in Trend Micro's Housecall,
or if you can't find it, the content of C:\Documents and Settings\John\.housecall\Quarantine (if anything is left)

2. Empty the Recovery folder of Spybot S&D,
or if you can't find it, the content of C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery (if anything is left)

3. Flush your System Restore points :
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.Right-click My Computer and then click Properties.
On the Performance tab, click File System
On the Troubleshooting tab, click to select Disable System Restore
Click OK twice.
2. Restart your computer.

3. Turn on System Restore.Right-click My Computer and again click Properties
On the Performance tab, click File System
Clear the check mark in Disable System Restore check box.
[/list]And that should do it. :flowers:
-----------------

Below I have included some recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously ; these few simple steps can stave off the vast majority of spyware problems.

1. Please navigate to http://windowsupdate.microsoft.com/ on a regulare basis and download all the "critical updates" for Windows, including the latest version of Internet Explorer.
This can patch many of the security holes through which attackers can gain access to your computer.

2. In order to protect yourself better against spyware, you should consider installing and running some of the following free programs:SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

IE/Spyad
Places over 5000 dubious websites and domains in your IE's restricted zone.
Make sure to keep your antispyware programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed
Hopefully this should take care of your problems! Good luck

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 davieg

davieg
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 30 April 2006 - 02:14 AM

Good Morning BMThor,

I've carried out the restore and have reinstalled spywareblaster and I'm about to embark on the tutorials. I haven't quite worked out which version of IE/Spyad I need to download, but will do so after I've set up spywareblaster correctly.

Once again thanks very much for your help, there may be some nasty people :thumbsup: in the world creating these problems but it's at heartening to know there is also people like yourself around to offer a helping hand. :flowers:


All the best

davieG

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:28 AM

Posted 30 April 2006 - 04:57 PM

Glad we could help, davieG :thumbsup:

Since your problem is solved, this topic will be closed.

If you need this topic reopened, please email the moderating team -
be sure to include the address of the thread and the name you posted under.


BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users