Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Add Pop-ups, Etc. (see Explination)


  • This topic is locked This topic is locked
12 replies to this topic

#1 bummed_in_southGA

bummed_in_southGA

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 17 May 2006 - 07:14 PM

I seem to have a bunch of problems that I hope at least someone in this forum can help me get rid of. As suggested I am supplying as much information as I can to help with this task, as follows:

System information: Hopefully, you can see this from my profile. It's basically and HP Pavilion a1330n running Windows XP. My personal opinion is, don't buy one! It's a real pain compared to the Dell I used to have!

User configuration Information:
As recommended by HP documentation, in addition to the "HP_Administrator Account, I set up separate User Accounts for the various people in my family who use the computer, including myself. The intent was to make these accounts "Limited" accounts to lessen the probability of infections from the Internet during normal usage according to the documentation. Making these other User accounts Limited caused continuous headaches! I finally had to change them to "Admin" type accounts inorder to reduce accessibility, etc., problems. One person in the family uses the computer for college critical school work, etc., and I didn't have time to deal with all the problems. However, now I seem to be spending even more time dealing with "infection problems"!!

I am running Norton Symantec Security software. One of the problems Symantec software seemed to indicate was that I had a SpyFalcon security risk, a rebranded version of another risk, Spyaxe. I followed the SpyFalcon removal instructions in symantec's "Security Response" artical. This seemed to have no effect on any of the problems I'm experiencing. If anything, I am concerned that following these instructions may have messed the system up even more. I did not find most of the indicated HKEY_CLASSES_ROOT" subkeys the article indicated to remove in my system's registry.

I have found that, before and after performing all the pre-HijackThis post clean-up indicated in the "Preparation Guide for use before posting a HijackThis log", that the HP_Administrator account does not have some (but not many) of the problems that the other User accounts have. Thus, below I refer to "User accounts" and the "Admin account" separately where applicable.

One of the messages that keeps floating up from an unwanted icon in the System Tray indicates my system is infected with the "worm_attck_v122.o2a" (i.e., "... the last version of internet trogan..."), and recommends downloading/installing antivirus software, which I guessed is a bogus soliciation for buying a company's security software. I did a Google search for the "worm_attck..." trojan and found this HJT Forum.

On the HJT forum I read the 'Hijack Preparation Guide...'. I have painstakingly and meticulously followed all the instructions in that guide/tutorial, including study of all the recommended software tutorials the HJT Prep guide recommends.

Now I am posting the following information. :flowers: :huh: :huh:

Problems:

------------------------------------------
All accounts:
1. I can't stop pop-ups to, "http://www.entertainsite.com/...". There seem to be 2 pop-pus associated with this URL:
(a) AdultFriendFinder, and
(:huh: ".../vc/cas/monaco1/index.html"

2. A System Tray message floats up that says,
"Urgent System Message: Virus! Your system is infected with the last version of internet trojan (worm_attck_v122.02a. The ad recommends downloading/install of antivirus software.

3. Sometimes while logging out, a window pops up: "End-Program - ccApp.... This program is not responding"
and the "End Now" button must be clicked on to continue the logoff process.
?? ccApp: Symantec Common Client User Session ??
------------------------------------------

User accounts (but not Admin's it seems):
1. When starting "IE", a supposed "Microsoft Internet Explorer" window pops up indicating the system has a virus: W32.Myzor.FK@wf", and includes a bunch of technical information. It recommends the user click "OK" to download "officially approved security software".

2. User accounts IE homepage is force locked to: "http://www.saftyupdate.com/".
The page solicits obtaining Anti-Spyware Software: "Pest Trap", "Malware wipe", and "Spy Guard". The page contains a bunch of advertising blah-blah with regard to getting this spyware.

3. Often, users are unable to start "IE" at all. When that happens, upon logging out, an error window comes up with:
"End-Program - SysFader.... This program is not responding"
and the user must press the "End Now" button to continue the logoff process.

4. Periodically, a complete unsolicited window pop-up appears, apparantly from the site,
"http://www.webtopsecurity.com" suggesting the download of 3 programs:
(a) WinAntiVirus Pro,
(:huh: Ad Protect, and
© SpyFighter.
-----------------------------------------

HP_Adminisator account:
Two System Tray icons are present that cause the following 2 messages to float up, continuously and unsolicited:
1. "System Alert: Spyware Detected
System has detected 4 active spyare application that may cause your computer to crash and restart, slow it to a crawl and even shut down it entirely.
Click the icon to get rid of unwanted spyware."

2. "Your computer is infected!
Critical System Error!
System detected virus activites.
They may cause critical system failure. Please use antimalware sortware to clean and protect your system from parasite programs.
click here to get all available software."

In either of the above cases, I'm pretty sure that if I click the icon I will get an offer to buy a company's spyware removal software.

After doing every thing mentioned in the 'HijackThis Prep Guide', here is my HijackThis log:
:thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 7:52:58 PM, on 5/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N73M1004NetInstaller.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hpA933.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar26.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (file missing)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N73M1004NetInstaller.exe" -nag
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar26.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar26.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar26.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar26.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?5062a7393c4c4cbe893186635289b29d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?5062a7393c4c4cbe893186635289b29d
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar26.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar26.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://gvtc6.blackboard.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147890466953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

:huh:

Edited by bummed_in_southGA, 17 May 2006 - 07:17 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:47 AM

Posted 18 May 2006 - 08:23 AM

Hello,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

* Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Don't use it yet.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hpA933.tmp
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N73M1004NetInstaller.exe" -nag
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
<== not required
O15 - Trusted Zone: http://gvtc6.blackboard.com <== check this entry if you didn't add that yourself in the Trusted zone

Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Now search and delete:

C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N73M1004NetInstaller.exe

Go to start > run and type regsvr32 occache.dll
Click OK

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; I need that log afterwards.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply along with a new HijackThis Log,
the contents of rapport.txt which is present on your Homedrive (C:\ in most cases) by using Add Reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bummed_in_southGA

bummed_in_southGA
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 18 May 2006 - 08:32 PM

WOW! I am VERY impressed, aside from thrilled!!
So far so good.
Here's a couple of notes of what happened while completing your instruction today:

1. When booting in Safe Mode, 2 options were presented:
(i) "Use Windows Media Center Edition", and
(ii) "Use Recovery Console"
I picked the first (i) "Use Windows Media Center Edition"

Then, when the full Windows user logon screen came up, there was an "Administrator" User, in

addition to the "HP_Administrator", which is not what I usually see under Normal boot.
I picked "HP_Administrator". (I just wonder what the difference is?)

2. Under the instruction: "Clean your Cashe and Cookies in IE"
I "Deleted Cookies" and "Deleted Files" using Control Panel > Internet Options > General tab

(which I actually try to do on a regular basis for all accounts.

However, I did not get a prompt to "Delete all offline content".

But, as a usual matter of maintenance, I went to the "Content" tab > AutoComplete Settings. I

unchecked the 3 check boxes, "Web addresses", "Forms", and "User names and passords on forms".

Then I Cleared Forms and Cleared Passwords.

3. I am not running "Firefox" (SHOULD I ???), so I didn't have to do that step.

When I ran the "Smitfraudfix.cmd", Disk Cleanup (like cleanmgr) started. It hung on "calculating

space to be freed" for my D:\ drive, which is my aux/backup hard drive. I "Cancelled" Disk

Cleanup after it was hung for about an hour. I ended up saving 2 rapport.txt files, both of

which I have included below as, "rapport_1.txt" and "rapport_2.txt". It allowed me to save the

files anywhere I wished so I saved them on the HP_Administrator Desktop.

SmitfraudFix did not indicate "wininet.dll" was infected, and thus I was not prompted to replace.

SmitfraudFix did NOT cause the system to restart. So, after SmitfraudFix finished, I restarted

myself, as you instructed.

4. Finally, here's the order of the log files I'm sending back to you, with many many thanks for

your help and expertise:

A. The Panda ActiveScan report from, "PandaActivescanRpt_051806.txt".
B. The new HijackThis Log from, "hijackthis_051806_2030.txt".
C. The first SmithfraudFix report from, "rapport_1.txt", and
D. The second SmithfraudFix report from, "rapport_2.txt".

There they all are:

A. Panda ActiveScan report from, "PandaActivescanRpt_051806.txt":

Incident Status Location

Adware:adware/emediacodec Not disinfected C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\LocalService\Cookies\hp_administrator@microsofteup.112.2o7[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Warren\Local Settings\Temp\Cookies\warren@ccbill[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Warren\Local Settings\Temp\Cookies\warren@yadro[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Warren.WARRENBRACKMANN\Cookies\warren@atdmt[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Warren.WARRENBRACKMANN\Cookies\warren@tribalfusion[1].txt
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/SecurityError Not disinfected C:\Program Files\HijackThis\backups\backup-20060518-163940-594.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
----------------------------------------------------------------------------------------------------------------

B. New HijackThis Log from, "hijackthis_051806_2030.txt":

Logfile of HijackThis v1.99.1
Scan saved at 4:31:27 PM, on 5/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hpA933.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar26.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (file missing)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N73M1004NetInstaller.exe" -nag
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar26.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar26.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar26.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar26.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?5062a7393c4c4cbe893186635289b29d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?5062a7393c4c4cbe893186635289b29d
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar26.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar26.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://gvtc6.blackboard.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147890466953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
----------------------------------------------------------------------------------------------------------------

C. First SmithfraudFix report from, "rapport_1.txt":

SmitFraudFix v2.45

Scan done at 18:22:45.10, Thu 05/18/2006
Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\appmagr.dll Deleted
C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\HP_ADM~1\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\Security Toolbar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End
----------------------------------------------------------------------------------------------------------------

D. Second SmithfraudFix report from, "rapport_2.txt":

SmitFraudFix v2.45

Scan done at 18:39:36.67, Thu 05/18/2006
Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:47 AM

Posted 18 May 2006 - 08:45 PM

Hello,

Can you post a hijackthislog made in normal mode please? Because you posted one from safe mode. :thumbsup:

Also delete next file:

C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 bummed_in_southGA

bummed_in_southGA
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 19 May 2006 - 01:12 PM

Hi again miekiemoes!

I deleted the file,

C:\Documents and Settings\All Users\Desktop\Online Security Guide.url

as you instructed.

Sorry if I missed the fact that I should have run HijactThis in Normal mode! It was a little nuts here yesterday evening. I was trying to concentrate, but it was hard to....

I'm not sure if you do this stuff on the weekend, but I may not be able to get back to you until tomorrow (Saturday) sometime. I want to be as responsive as possible and I really appreciate what you are doing for me!!!

Here's the HijackThis Log I just saved from running HijackThis in Normal mode at, 05/19/06, 1:54 pm:

Logfile of HijackThis v1.99.1
Scan saved at 1:54:22 PM, on 5/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program

Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet

Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar26.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program

Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton

Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt

8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event

Manager\EEventManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital

Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"

/run
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe"

boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar

Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar26.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar

Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar26.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar26.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar26.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar

Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?5062a7393c4c4cbe893186635289b29d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar

Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?5062a7393c4c4cbe893186635289b29d
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar26.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar26.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

(file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://gvtc6.blackboard.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -

http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -

http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -

http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...ab?114789046695

3
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation

- C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet

Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) -

Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton

Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by bummed_in_southGA, 19 May 2006 - 01:13 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:47 AM

Posted 19 May 2006 - 01:22 PM

Hello,

I see a clean hijackthislog here...
Do you still get that System Tray message floating up? In case you do, perform next:

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #4 - Generic Renos Fix by typing 4 and pressing Enter.
The program will scan and fix the Registry and delete corresponding infected files on your computer, please be patient while it works.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
Please post that log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 bummed_in_southGA

bummed_in_southGA
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 21 May 2006 - 12:20 PM

Hey there miekiemoes!
Sorry for the delay in getting back to you.... "stuff"...

Thanks again for continuing with me!

It appears that the messages have stopped floating up from the System Tray thanks to
following your instructions for cleaning, etc. In fact, things seem fairly healthy, except for what I mention below.

I ran SmitfraudFix's "Generic RenosFix even though I'm not experiencing the floating up messages because, from your description of what to do, it sounded like it might be good
"just-in-case" insurance. I sure hope that was a good assumption! :|

ccApp:
There is one thing that does still happen at random times. Upon logging off (for any user), the error window,
"Application Not Responding"
comes up naming, "ccApp", as that appication. I'm not sure if this effects anything or
causes any problems, but it doesn't seem like something that should be happening.
Note however, that the ccApp thing has been happening for a long time - way before the recent problems appeared, which you've helped me with over the past few days.

Modem Data Traffic Light Blinking:
The cable modem Data Traffic Light continuously blinks at a rate of about 2Hz., irrespective of running in Safe Mode, Normal Mode, which (if any) User is logged-on AND, whether the PC is POWERED ON or OFF. I unplugged the 10baseT cable and powered the modem off and back on, reconnected the 10baseT cable, but it's still blinking at 2Hz (except when expected data is being exchanged). This is a new thing, but now that I see it's blinking even when the PC is powered off, I'm thinking it's related to something on the ISP end.

I have a couple of other questions, which you may, or may not, be able to help me with, or answer, but I'll save those for the point at which you declare my system "healthy". :thumbsup:

I notice that the Smitfraudfix program recommends running option #4 in safe mode. So I did. :|
Please note that I NEVER have anything else except what you instruct, including IE, running when doing all this stuff.

When the Generic Renos Fix scan finished, I saved the repport to the to the HP_Administor's Desktop and exited by typing Q and Enter. I then rebooted in Normal Mode.

Smitfraudfix, "option #4 - Generic Renos Fix" (just in case ) execution report log:
(Note that, after typing 4 and Enter at the prompt, the scan finised immediately, reporting:
"Scan done at 11:50.92, Sun 05/21/2006 ...
!!!Attention, following keys are not inevitably infected!!!...",
as you'll see by in the report, which now follows):

----------------------------------------------------------------------------

SmitFraudFix v2.45

Scan done at 11:50:56.92, Sun 05/21/2006
Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Before GenericRenosFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» GenericRenosFix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» After GenericRenosFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
--------------------------------------------------------------------------------

(Don't they mean "evidently infected" instead of "inevitably infected"?)

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:47 AM

Posted 21 May 2006 - 01:18 PM

Well, your system is clean again... :thumbsup:

Concerning the ccApp, this is your norton antivirus. Most probably something got corrupted in there or there's an incompatibility problem with some other piece of software installed on your system (common issue with norton), so I recommend you reinstall Norton here.
In case the problem still exist, I recommend to uninstall Norton (because it must be an incompatibility issue in that case) and install another antivirus. You can find FREE good antivirus in my signature. Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!

Concerning your second 'issue', your Modem light blinking all the time.. really don't worry about that, this is totally normal. Even when your pc is off, it will still blink. I have the same here. :flowers:
Take a look here for more explanation:
http://www.cable-modems.org/q&a/index.php?one_question=55
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 bummed_in_southGA

bummed_in_southGA
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 24 May 2006 - 02:07 PM

Dear miekienoes,

I am mesmerized and EXTREMELY grateful for what you've done for me!! I must make a donation to
BleepingComputer for your help and work. Any donation I have the means to make cannot come close to
the value of your assistance!! Although it looks like there are many knowledgeable malware forum participants and assistance providers "out there", you have addressed my specific issues in an unbelievably expedient and efficient manner, have resolved my bad situation and made my life so much easier. I am so very grateful to you!! :huh:

If I see correctly, you now have a new 6th blue box under your "Malware Slayer" title. Congratulations!! From my perspective, you are totally deserving of it. You have thousands of posts!! And you are totally responsive. I sure hope the extra blue box comes with a monetary aware too.

At this point, I'm wondering that, if I wish to communicate with you further (which I really would like to), I should at least use the "Send a Personal Message" feature in Bleeping Computer. Please let me know if that is correct and if it is okay with you.

I suppose it's like being famous, however, since you are so good at what you do and you help so many people. It may just be impractical for you communicate beyond the "Malware Slayer" role with everyone who would like to do so. But I have definitely digressed (and "off-topic")!

Concerning the blinking modem light issue... It is impressive you have knowledge of the issue and references regarding it. What I see makes sense since I know a little bit about broadcast and token passing protocols. It's just that the blinking light behavior is new since we've been fixing my problems. Previously, the modem did not do this, but it certainly seems like nothing to worry about.

ccApp and Norton Antivirus:
I will do what you have suggested, at least as far as the uninstalling Norton part is concerned. This Norton Symantec Security Software has been one of my big headaches ever since I plugged the PC in for the first time back in January. I have spent days trying to figure out why I couldn't fix a some malfunctions with the software and their tech support sucked. I received some information from their tech support in several emails that were difficult to understand and potentially might have negatively effected my PC even more! Their "information" webpage article are inaccurate too.

When I read through some of the material you provide references to, I see little, if any, information or recommendations for Norton antivirus or other security software!! If I read between the lines correctly, including an explicit suggestion from you "to install another antivirus" program if uninstalling/reinstalling Norton does not fix the ccApp issue, I am guessing that the Norton software is, at best, not in the top running for any "Security Suite", antivirus or anti-spyware malware/software. Can you possibly comment on this without violating some policy or ethics you are bound by?

Other Information:
I looked at the sites you list in your BleepingComputer Profile Signature, and most link to basically the same site, http://users.telenet.be/bluepatchy/miekiemoes/Links.html

There is a myriad of software and information there!!! There's enough "bedtime reading" there to keep me going for a long time, and maybe even forgo the use of Ambien.

You know, your average computer USER really doesn't have the time or the wherewithal to read and understand all of that information, wonderful as it is. I do, however, think every user should take responsibility for their own "security", etc., and complaining about the amount of work and study it takes is more or less "whining". However, in the short term, since I have turned out to be just a "user" (as opposed to what I used to be - data communications and trusted networks specialist and software designer - "the old days" version), I need, and am looking for, something to get me properly set-up and launched for the short-term. This apparently would include ditching Norton also, if I read between the lines correctly.

The basic issue of being presented with so many options (something like Standards) are knowing exactly which of the options to pick since they all have somekinds of variances. :huh: Another confusion is, there's "Freeware" and there's "Shareware". I used to think I knew the difference, but now it seems the lines between the 2 categories are kind of fuzzy. ???
http://www.why-not.com/software/ware.htm ???

I think there is a link, via your Signature references, linking to a page that kind of does address my short-term/immediate needs. It is under the bullet, "So how did I get Infected in the first place?", with the URL,

http://forums.spywareinfo.com/index.php?showtopic=60955

This points to an article written by "TonyKlein", which includes 10 steps for "tightening security. Am I correct in thinking this article is a good place to start. Or, should I continue to "wish" for YOU to tell me exactly everything to do????? (heeheehee)

One REALLY good thing in TonyKlein's article is that he indicates the types of security software that can run at the same time (in conjunction) with each other and ones that can't, especially with regard to Firewall and Anti-Virus programs.

Since I've already purchased Norton (Symantec) Anti-Virus, and it does not seem to be at the top of the popular list, I'd really prefer to obtain an anti-virus program that is free, at least until next March when the Norton subscription runs out. Actually, I would like nothing better than to get rid of Norton!! :thumbsup:

TonyKlein mentions AVG in his anti-virus suggestions. I see it is at the top of the list on the page you reference and I've heard others speak well of AVG. ??????? (Are your referenced lists in any "preferred" order?)

Through working with you, I now seam to have ZoneAlarm as a firewall, but the free version I have is only a 15 day trial. There's a ZoneAlarm window that pops up (sometimes) when users log-in that requires the user to pick one of 3 options. One of the options is to "continue" with the trial version another is to buy ZoneAlarm. If ZoneAlarm is indeed the best (it comes first in TonyKlein's list, and yours) and I need to purchase it, I certainly don't mind.

I think I understand the idea of a particular firewall's ability to filter both incoming AND outgoing IP packets as opposed to just incoming. So which firewall is the best????

I was going to ask you if SpyBlaster, which I stumbled across when getting Spybot S&D, is good software to have running, but it looks like TonyKlein has answered that question with an affirmative.

I had TeaTimer, which comes along with Spybot S&D, running in the background until you suggested I turn it off to complete a particular cleaning exercise. I have not turned it back on yet, partly due to a little glitch it had when it popped up from the System Tray asking to Allow or Deny something.

The glitch was that the Allow and Deny buttons were mostly obscured in its pop-up window such that I could not make out which button was which. I simply learned from trying it which button was the Allow. Thus, I'm fairly sure I denied some things that should have been allowed and visa versa. :) I'm not sure if we rectified any mistakes on my part there during the subsequent cleaning process.?????

I am not sure about TeaTimer if it has that glitch???

My FINAL QUESTION: :huh:
The HP System Admin documentation that came with my PC recommends that regular everyday users who will use the PC to surf the Internet and use installed programs, etc., be setup with "Limited User" accounts, including me (the owner and supposed Administrator). The documentation recommends that I only use the HP_Administrator account for specific system administration, maintenance, program installs or removals, etc., and that I create and use another "Limited User" account for normal everyday use. The intent here supposedly has several objectives. 1) to lessen the probability that some malware might get "installed" on the system since
"Limited Users" cannot install software, and 2) to protect each user's files from view and access by other users.

Well, having "Limited" user account caused me even more headaches!! :flowers: So, I changed all user accounts to Administrator level accounts. I'm not sure if this was/is a good thing or not.???? Can you possibly please comment on this, and if possible and if you think "Limited" user accounts are a good idea, can you help me with the user usage and program access headaches I experienced (or point me to some real information that could help me out)??????

That pretty well covers everything at this point. Hopefully, you don't have to use my questions here as bedtime reading yourself. In any case, I truly appreciate all the help, time, energy and knowledge you've given me thus far and I regard you as a top-notch "Malware Slayer"!!! :huh: :o :huh:

Thanks so much!!
:)

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:47 AM

Posted 24 May 2006 - 03:04 PM

Hello,

Let's answer your questions. :thumbsup:

This Norton Symantec Security Software has been one of my big headaches ever since I plugged the PC in for the first time back in January

When I read through some of the material you provide references to, I see little, if any, information or recommendations for Norton antivirus or other security software!! If I read between the lines correctly, including an explicit suggestion from you "to install another antivirus" program if uninstalling/reinstalling Norton does not fix the ccApp issue, I am guessing that the Norton software is, at best, not in the top running for any "Security Suite", antivirus or anti-spyware malware/software. Can you possibly comment on this without violating some policy or ethics you are bound by?


Norton isn't a bad program, but on some systems, it just doesn't work right. This is mainly because it has so many features/settings and you have to configure every setting to make it properly work with your system, because Norton can have a lot of incompatibility problems with other software installed as well.
So actually, imho, Norton is for advanced users who know a lot about their system and know how to configure everything properly. Yes, it already caused a lot of headaches. As you see on the Symantec site under support - the list of problems with Norton is huge, just because people don't know how to configure it properly.

Another known issue with norton is - uninstalling and reinstalling. Some people are glad they can properly uninstall it - but it happens a lot that Norton won't properly uninstall either. That's why next article may become very handy in case you have the same problem:
http://basconotw.mvps.org/SymRem.htm

And that's also one of the reasons why I prefer another Security Suite instead. - but as I said, this is a personal view.
I am using Kaspersky Internet Security right now. This one has a lot of features in once, easy to understand and very powerful. But it's no freeware - and that answers your next question. Freeware is - for free - always. Shareware means, you can use it for free, but after a certain amount of time (mostly 30 days), you have to buy it. This is a trial you had before. So when the trial expired, the software won't update anymore, loose some functions etc etc... unless you buy it. Also read here:
http://en.wikipedia.org/wiki/Shareware

And as you already noticed, there are also a lot of Antivirus scanners which are freeware. AVG and Avira are good ones. I've been testing Avira lately and I was quite impressed of the amount of malware it found.
So if you decide to install a free Antivirus, you can decide anytime to uninstall it and to install another one to try. Just choose the one you like the best and easiest to configure.

This points to an article written by "TonyKlein", which includes 10 steps for "tightening security. Am I correct in thinking this article is a good place to start.


It sure is. :flowers:

Through working with you, I now seam to have ZoneAlarm as a firewall, but the free version I have is only a 15 day trial. There's a ZoneAlarm window that pops up (sometimes) when users log-in that requires the user to pick one of 3 options. One of the options is to "continue" with the trial version another is to buy ZoneAlarm. If ZoneAlarm is indeed the best (it comes first in TonyKlein's list, and yours) and I need to purchase it, I certainly don't mind.


Most probably you installed zonealarm and selected the pro version during install. That is a trial as well, but now fully functional with extra options. After the 15 days, it will revert to the free version, losing some functions.
You can also see here what's the difference between the zonelab products:
http://www.zonelabs.com/store/content/comp...?dc=12bms&ctry=
As you see, the free version is only the firewall.
And yes, the Free version of zonealarm suffice your next concern:

I think I understand the idea of a particular firewall's ability to filter both incoming AND outgoing IP packets as opposed to just incoming. So which firewall is the best????


I've been using Kerio firewall as well and I liked it a lot. When you first install it, you'll get the pro version (same as with Zonealarm), but after an amount of time, it reverts to the freeware version with less options, but still powerful.

I was going to ask you if SpyBlaster, which I stumbled across when getting Spybot S&D, is good software to have running, but it looks like TonyKlein has answered that question with an affirmative.


Yes, spywareblaster is a nice addition. It isn't really a spywarescanner, because it doesn't detect and remove spyware/malware, but it prevents it being installed. You won't see it running in the background either, because it works in a different way. It adds a sort of killbits in the registry to block bad activeX while surfing.
Also read here for more info: http://www.bleepingcomputer.com/tutorials/use-spywareblaster-to-protect-your-computer/

I had TeaTimer, which comes along with Spybot S&D, running in the background until you suggested I turn it off to complete a particular cleaning exercise. I have not turned it back on yet, partly due to a little glitch it had when it popped up from the System Tray asking to Allow or Deny something.

The glitch was that the Allow and Deny buttons were mostly obscured in its pop-up window such that I could not make out which button was which. I simply learned from trying it which button was the Allow. Thus, I'm fairly sure I denied some things that should have been allowed and visa versa.


If you don't remember what has been set, if you allowed it or denied it - you can reset it again. In one of my first replies, I gave you the resetteatimer.bat. This one resets everything being remembered in the program before.

"Limited" user accounts are a good idea, can you help me with the user usage and program access headaches I experienced (or point me to some real information that could help me out)??????


yes, limited useraccounts are indeed a good idea for the reasons you already gave. Take a look at next article which explains everything in detail and how to set it up properly - or how to run your system with reduced privileges:
http://cybercoyote.org/security/not-admin.shtml

I hope I could anwser all your questions. :huh:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 bummed_in_southGA

bummed_in_southGA
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 25 May 2006 - 12:34 PM

Hi again miekienoes!

You are unbelievable ("imho")!! :thumbsup: You go above and beyond what the BleepingComputer "board" sets as user expectations! Plus, I'm sure I have stretched their recommended usage of the forum by combining topics/questions that should really have separate threads. I am totally grateful for your tolerance!!

Thank you for the pointers to the detailed information I need.
(I apologize for forgetting about the TeaTimer reset .bat file. :flowers: I DO remember that there is direction on how to turn it back on again.)

Yes. You have very thoroughly answered all my questions and whining - except for one :huh: :

"At this point, I'm wondering that, if I wish to communicate with you further (which I really would like to), I should at least use the "Send a Personal Message" feature in Bleeping Computer. Please let me know if that is correct and if it is okay with you." (despite your fame and expertise level)

Note that I would not be offended or anything if you answer with a negative. In either case, I will continue to read and learn from the URL pointers you have given me during this exercise.

A short partial rational (besides having the notion that you are a very nice person):
Years ago (approx. 1988), I worked with a PhD. researching Trusted Networks and Computer Systems Security ("Orange Book" and "Red Book", if I recall correctly) for the Canadian Department of Defense. Despite my whining, I guess my past exposure to, along with this latest experience, and the myriad of threats and information out there, has again sparked my interest in the subject. Whether I like it or not, my mind is pushing me to absorb and organize the current state of all this stuff. I would love to have a contact for a brief consult or two, wishing little or no extra effort on your part.

Irregardless, I will try to keep things "clean" and "healthy", which should hopefully reduce the probability of needing to frantically request help from this forum - thanks to you :huh: !

Many grateful regards!
w. :huh:

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:47 AM

Posted 25 May 2006 - 12:52 PM

"At this point, I'm wondering that, if I wish to communicate with you further (which I really would like to), I should at least use the "Send a Personal Message" feature in Bleeping Computer. Please let me know if that is correct and if it is okay with you." (despite your fame and expertise level)


That's ok for me... and thank you for the kind words. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:47 AM

Posted 25 May 2006 - 05:55 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users