Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sysprotect And Other Ad/spyware


  • This topic is locked This topic is locked
16 replies to this topic

#1 aznliu

aznliu

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri
  • Local time:03:32 PM

Posted 29 June 2006 - 11:48 AM

My first time doing this, so bare with me.

Problem:
Being stupid, I clicked on something I shouldn't have. So now I have so called "anti-virus" programs trying to get me to download them. I believe I have gotten rid of one (Spywarequake), but I'm not positive if everything is cleared. The spywares I know I have are Sysprotect, Winantivirus, a trojan maybe, virtumonde, easyerror, purityscan, and coolwebsearch. I ran Xoftspy and it caught and "fixed" somethings. But of course they keep popping up.

Please help.

Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:18 AM, on 6/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\spy removal stuff\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O20 - AppInit_DLLs: spoolsv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:32 PM

Posted 01 July 2006 - 08:10 AM

Hey there aznliu, welcome to BleepingComputer.

Please go to the folder which contains Hijackthis (spy removal stuff) and please rename hijackthis.exe to analyse.exe and post a new Hijackthis log using the newly named program.

David

#3 aznliu

aznliu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri
  • Local time:03:32 PM

Posted 05 July 2006 - 09:18 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:16:08 AM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Documents and Settings\HP_Administrator\Desktop\spy removal stuff\analyse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {719A2B9F-1236-4138-9343-D4C35BEF3142} - C:\WINDOWS\system32\mljgh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O20 - AppInit_DLLs: spoolsv.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:32 PM

Posted 05 July 2006 - 01:55 PM

Hey there aznliu,
It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

* Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


* Please run the uninstaller by using the tutorial found here:
http://www.outerinfo.com/howto.html
Then Reboot! (v.important)

* Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens,Click Scan for Vundo button.
  • Once the scan is complete,Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes
    • C:\WINDOWS\system32\mljgh.dll
    • C:\WINDOWS\system32\hgjlm.*
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
David

#5 aznliu

aznliu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri
  • Local time:03:32 PM

Posted 06 July 2006 - 10:59 AM

VundoFix V5.0.0

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.6

Scan started at 10:50:03 AM 7/6/2006

Listing files found while scanning....

C:\windows\system32\mljgh.dll
C:\windows\system32\hgjlm.ini
C:\windows\system32\hgjlm.bak1
C:\windows\system32\hgjlm.bak2
C:\windows\system32\hgjlm.ini2
C:\windows\system32\hgjlm.tmp
C:\windows\system32\mljjkjk.dll
Attempting to delete C:\windows\system32\mljgh.dll
C:\windows\system32\mljgh.dll Could not be deleted.

Attempting to delete C:\windows\system32\hgjlm.ini
C:\windows\system32\hgjlm.ini Has been deleted!

Attempting to delete C:\windows\system32\hgjlm.bak1
C:\windows\system32\hgjlm.bak1 Has been deleted!

Attempting to delete C:\windows\system32\hgjlm.bak2
C:\windows\system32\hgjlm.bak2 Has been deleted!

Attempting to delete C:\windows\system32\hgjlm.ini2
C:\windows\system32\hgjlm.ini2 Has been deleted!

Attempting to delete C:\windows\system32\hgjlm.tmp
C:\windows\system32\hgjlm.tmp Has been deleted!

Attempting to delete C:\windows\system32\mljjkjk.dll
C:\windows\system32\mljjkjk.dll Has been deleted!

Attempting to delete C:\windows\system32\mljgh.dll
C:\windows\system32\mljgh.dll Could not be deleted.

Attempting to delete C:\windows\system32\mljgh.dll
C:\windows\system32\mljgh.dll Could not be deleted.

Performing Repairs to the registry.
Done!








Logfile of HijackThis v1.99.1
Scan saved at 10:57:45 AM, on 7/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Administrator\Desktop\spy removal stuff\analyse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DDA9FDC0-3299-47DB-B539-678F0EA5ADF8} - C:\WINDOWS\system32\mljgh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O20 - AppInit_DLLs: spoolsv.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:32 PM

Posted 07 July 2006 - 03:02 PM

Hey there aznliu,

Please download VirtumundoBeGone from:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop
* Reboot your System
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

Please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

VirtumundoBeGone generates a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here together with a new hijackthislog.

David

#7 aznliu

aznliu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri
  • Local time:03:32 PM

Posted 11 July 2006 - 10:48 AM

Hey there aznliu,

Please download VirtumundoBeGone from:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop
* Reboot your System
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

Please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

VirtumundoBeGone generates a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here together with a new hijackthislog.

David






[07/11/2006, 10:35:13] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Administrator\Desktop\VirtumundoBeGone.exe" )
[07/11/2006, 10:35:22] - Detected System Information:
[07/11/2006, 10:35:22] - Windows Version: 5.1.2600, Service Pack 2
[07/11/2006, 10:35:22] - Current Username: HP_Administrator (Admin)
[07/11/2006, 10:35:22] - Windows is in NORMAL mode.
[07/11/2006, 10:35:22] - Searching for Browser Helper Objects:
[07/11/2006, 10:35:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/11/2006, 10:35:22] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[07/11/2006, 10:35:22] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/11/2006, 10:35:22] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/11/2006, 10:35:22] - BHO 5: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[07/11/2006, 10:35:22] - BHO 6: {C1B27B38-E924-4F5F-AC70-44EEE63989FC} ()
[07/11/2006, 10:35:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/11/2006, 10:35:22] - Checking for HKLM\...\Winlogon\Notify\mljgh
[07/11/2006, 10:35:22] - Found: HKLM\...\Winlogon\Notify\mljgh - This is probably Virtumundo.
[07/11/2006, 10:35:22] - Assigning {C1B27B38-E924-4F5F-AC70-44EEE63989FC} MSEvents Object
[07/11/2006, 10:35:22] - BHO list has been changed! Starting over...
[07/11/2006, 10:35:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/11/2006, 10:35:23] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[07/11/2006, 10:35:23] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/11/2006, 10:35:23] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/11/2006, 10:35:23] - BHO 5: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[07/11/2006, 10:35:23] - BHO 6: {C1B27B38-E924-4F5F-AC70-44EEE63989FC} (MSEvents Object)
[07/11/2006, 10:35:23] - ALERT: Found MSEvents Object!
[07/11/2006, 10:35:23] - Finished Searching Browser Helper Objects
[07/11/2006, 10:35:23] - *** Detected MSEvents Object
[07/11/2006, 10:35:23] - Trying to remove MSEvents Object...
[07/11/2006, 10:35:24] - Terminating Process: IEXPLORE.EXE
[07/11/2006, 10:35:24] - Terminating Process: RUNDLL32.EXE
[07/11/2006, 10:35:24] - Disabling Automatic Shell Restart
[07/11/2006, 10:35:24] - Terminating Process: EXPLORER.EXE
[07/11/2006, 10:35:24] - Suspending the NT Session Manager System Service
[07/11/2006, 10:35:24] - Terminating Windows NT Logon/Logoff Manager

[07/11/2006, 10:37:46] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Administrator\Desktop\VirtumundoBeGone.exe" )
[07/11/2006, 10:37:47] - Detected System Information:
[07/11/2006, 10:37:47] - Windows Version: 5.1.2600, Service Pack 2
[07/11/2006, 10:37:47] - Current Username: HP_Administrator (Admin)
[07/11/2006, 10:37:48] - Windows is in NORMAL mode.
[07/11/2006, 10:37:48] - Searching for Browser Helper Objects:
[07/11/2006, 10:37:48] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/11/2006, 10:37:48] - BHO 2: {22AB92D6-B8AC-4787-8669-C7C07D84F90F} ()
[07/11/2006, 10:37:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/11/2006, 10:37:48] - Checking for HKLM\...\Winlogon\Notify\mljgh
[07/11/2006, 10:37:48] - Found: HKLM\...\Winlogon\Notify\mljgh - This is probably Virtumundo.
[07/11/2006, 10:37:48] - Assigning {22AB92D6-B8AC-4787-8669-C7C07D84F90F} MSEvents Object
[07/11/2006, 10:37:48] - BHO list has been changed! Starting over...
[07/11/2006, 10:37:48] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/11/2006, 10:37:48] - BHO 2: {22AB92D6-B8AC-4787-8669-C7C07D84F90F} (MSEvents Object)
[07/11/2006, 10:37:48] - ALERT: Found MSEvents Object!
[07/11/2006, 10:37:48] - BHO 3: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[07/11/2006, 10:37:48] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/11/2006, 10:37:48] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/11/2006, 10:37:48] - BHO 6: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[07/11/2006, 10:37:48] - Finished Searching Browser Helper Objects
[07/11/2006, 10:37:48] - *** Detected MSEvents Object
[07/11/2006, 10:37:48] - Trying to remove MSEvents Object...
[07/11/2006, 10:37:49] - Terminating Process: IEXPLORE.EXE
[07/11/2006, 10:37:49] - Terminating Process: RUNDLL32.EXE
[07/11/2006, 10:37:49] - Disabling Automatic Shell Restart
[07/11/2006, 10:37:49] - Terminating Process: EXPLORER.EXE
[07/11/2006, 10:37:50] - Suspending the NT Session Manager System Service
[07/11/2006, 10:37:50] - Terminating Windows NT Logon/Logoff Manager
[07/11/2006, 10:43:18] - Re-enabling Automatic Shell Restart
[07/11/2006, 10:43:18] - File to disable: C:\WINDOWS\system32\mljgh.dll
[07/11/2006, 10:43:18] - Renaming C:\WINDOWS\system32\mljgh.dll -> C:\WINDOWS\system32\mljgh.dll.vir
[07/11/2006, 10:43:18] - File successfully renamed!
[07/11/2006, 10:43:18] - Removing HKLM\...\Browser Helper Objects\{22AB92D6-B8AC-4787-8669-C7C07D84F90F}
[07/11/2006, 10:43:18] - Removing HKCR\CLSID\{22AB92D6-B8AC-4787-8669-C7C07D84F90F}
[07/11/2006, 10:43:18] - Adding Kill Bit for ActiveX for GUID: {22AB92D6-B8AC-4787-8669-C7C07D84F90F}
[07/11/2006, 10:43:19] - Deleting ATLEvents/MSEvents Registry entries
[07/11/2006, 10:43:19] - Removing HKLM\...\Winlogon\Notify\mljgh
[07/11/2006, 10:43:19] - Searching for Browser Helper Objects:
[07/11/2006, 10:43:19] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/11/2006, 10:43:19] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[07/11/2006, 10:43:19] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/11/2006, 10:43:19] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/11/2006, 10:43:19] - BHO 5: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[07/11/2006, 10:43:19] - Finished Searching Browser Helper Objects
[07/11/2006, 10:43:19] - Finishing up...
[07/11/2006, 10:43:19] - A restart is needed.
[07/11/2006, 10:43:35] - Attempting to Restart via STOP error (Blue Screen!)
















Logfile of HijackThis v1.99.1
Scan saved at 10:47:22 AM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1145484900\ee\AOLSoftware.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\spy removal stuff\analyse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145484900\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O20 - AppInit_DLLs: spoolsv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:32 PM

Posted 11 July 2006 - 10:58 AM

Great aznliu,

As with all malware like this, it never comes alone and there are probably infected files left on your computer. Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply by using Add Reply, along with a new Hijackthis log.

David

#9 aznliu

aznliu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri
  • Local time:03:32 PM

Posted 12 July 2006 - 10:48 AM

The computer I am on is not allowing the Panda Scan to complete its download. Is there another way for me to download the Panda Scan?

Thanks

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:32 PM

Posted 12 July 2006 - 04:17 PM

Hey there,

No worries about Panda scan, many people are having this problem.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
David

#11 aznliu

aznliu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri
  • Local time:03:32 PM

Posted 13 July 2006 - 02:20 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 13, 2006 2:18:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/07/2006
Kaspersky Anti-Virus database records: 207126
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 64398
Number of viruses found: 16
Number of infected objects: 48 / 0
Number of suspicious objects: 12
Duration of the scan process: 00:50:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-07-13_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Desktop\backups\backup-20060627-173920-231.dll.tcf Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Documents and Settings\HP_Administrator\Desktop\spy removal stuff\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\HP_Administrator\Desktop\spy removal stuff\OiUninstaller.exe NSIS: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\firefox.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\firefox.exe NSIS: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\winC5.tmp.exe Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll Infected: not-a-virus:AdWare.Win32.Softomate.p skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\03B33ABC Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\03CD0A9F/[From 0007760949@mail1.edataalliance.com][Date Wed, 10 May 2006 15:52:20 -0700]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\03CD0A9F/[From 0007760949@mail1.edataalliance.com][Date Wed, 10 May 2006 15:52:20 -0700]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\03CD0A9F Mail: suspicious - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\03CD0A9F CryptFF: suspicious - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\03F82C70 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\040B285B/[From 0007737195@mail1.edataalliance.com][Date Wed, 10 May 2006 15:53:10 -0700]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\040B285B/[From 0007737195@mail1.edataalliance.com][Date Wed, 10 May 2006 15:53:10 -0700]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\040B285B Mail: suspicious - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\040B285B CryptFF: suspicious - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0425783E Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\04BF2D95/[From rcthomas@cox.net][Date Wed, 10 May 2006 15:52:17 -0700]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\04BF2D95/[From rcthomas@cox.net][Date Wed, 10 May 2006 15:52:17 -0700]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\04BF2D95 Mail: suspicious - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\04BF2D95 CryptFF: suspicious - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\193517ED.exe Infected: Trojan-Clicker.Win32.Small.kx skipped
C:\Program Files\Norton AntiVirus\Quarantine\195D0FC2.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\1B747574.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\372C05AC.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cd skipped
C:\Program Files\Norton AntiVirus\Quarantine\3F7773D3.exe Infected: not-a-virus:AdWare.Win32.SmartSearch.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\41B6515B.exe Infected: not-a-virus:AdWare.Win32.SmartSearch.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\48A035BF Infected: not-a-virus:AdWare.Win32.SmartSearch.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\52C67796/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\52C67796 ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\52C67796 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\53383518/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\53383518 ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\53383518 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\53576213/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\53576213 ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\53576213 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\53797CD0/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\53797CD0 ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\53797CD0 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\622962FB.tcf Infected: Trojan-Downloader.Win32.Zlob.vn skipped
C:\Program Files\Norton AntiVirus\Quarantine\725F2000.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cd skipped
C:\Program Files\Norton AntiVirus\Quarantine\726249FD.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cd skipped
C:\Program Files\Norton AntiVirus\Quarantine\7CF463AB.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cd skipped
C:\Program Files\XoftSpy\uninstall.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\XoftSpy\uninstall.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\XoftSpy\uninstall.exe NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1\A0000010.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1\A0000011.dll Object is locked skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1\A0000029.exe Object is locked skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1\A0000175.exe Object is locked skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1\A0000176.exe Object is locked skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1\A0000178.exe Object is locked skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1\A0000179.tlb Infected: Trojan-Downloader.Win32.Zlob.vv skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP1\A0000204.dll Object is locked skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP11\A0001997.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cd skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP11\A0001998.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cd skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP11\A0001999.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cd skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP11\A0002000.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cd skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP4\A0000445.exe Infected: not-a-virus:AdWare.Win32.PurityScan.em skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP4\A0000452.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cd skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP5\A0000850.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP5\A0000850.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP7\A0001953.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\gdnUS2339.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\WINDOWS\Prefetch\Layout.ini Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3C972EEE-EBA6-47C1-B7B2-BBB8EB388271}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DCBF2D0B-DCA9-486F-B2EB-6F1E5F0DAF8C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5277.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\spoolsv.dll.tcf Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:32 PM

Posted 16 July 2006 - 05:18 AM

Hey aznliu.

Most of the finding in the Kaspersky log are harmless.
We've just got a bit of final cleaning to do.

Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Now search and delete:

C:\WINDOWS\Downloaded Program Files\gdnUS2339.exe
C:\WINDOWS\system32\spoolsv.dll.tcf

Go to start > run and type regsvr32 occache.dll

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle basin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

* Open Norton AntiVirus by double clicking the 'Shield' icon located in the right hand bottom corner of your computer screen.
Double click the 'View' folder. It is located on the left side of the Norton AntiVirus window. This will expand the folder and display the contents.
Click on the 'Quarantine' icon. The right side of the Norton AntiVirus window will now list the contents of your quarantine folder.
Select the item you wish to remove and click on RED 'X' icon to delete it.
This will open the 'Take Action' window. Click the 'Start Delete' button to remove the infected file from your computer.
Repeat for any other quarantined files you want to remove.
When you are done removing files, click the 'Exit' button in the bottom left hand corner of the Norton AntiVirus window.

Reboot and let me know how the computer is running.
Problem solved here?
David

#13 aznliu

aznliu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri
  • Local time:03:32 PM

Posted 17 July 2006 - 12:59 PM

Alrighty, I did the items mentioned in your previous post. So far, I haven't gotten anymore of the annoying pop ups about antivirus. I have AVG on my computer so I ran a scan. It came up with "winC5.tmp.exe" "Trojan Horse Dropper.VB.3.AK" AVG "healed" or "cleaned" it. Also, there was something about "Digi-Watcher."

Thank you so much for your assistance. I hope this will be the end the chaos.

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:32 PM

Posted 17 July 2006 - 04:32 PM

Ok, I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Norton - if you remove Norton please understand you will have to install a new firewall as the mcafee one will have been uninstalled also.

David

#15 aznliu

aznliu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri
  • Local time:03:32 PM

Posted 17 July 2006 - 05:49 PM

I didn't realize that having Norton and AVG will be a problem. I am planning on uninstaling Norton because it is about to expire. What should I do about the firewall then?

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users