Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log Along With F-secure Blacklight


  • Please log in to reply
20 replies to this topic

#1 The Colonel

The Colonel

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 09 August 2006 - 07:07 PM

Ran into a nasty one here.

Ran Ewido/Spybot/Ad-Aware and also ran F-Secure\blacklight

Ewido found it but could not remove.

Blacklight Found 4 items. Asked me to rename files? What names do I give them?

I assume if I rename then run Ewido it shoud remove correct?

PC runs fine but when I go to yahoo/google etc. whatever I search for ends up being redirected to another phony/bad site.

If I type in the Web site address directly it works fine. Any ideas?

If you need additional like HJT logs let me know.

Thanks for any help.







Logfile of HijackThis v1.99.1
Scan saved at 6:17:00 PM, on 8/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\ewido anti-spyware 4.0\ewido.exe
E:\PROGRA~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\Fast.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "E:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "E:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe





08/08/06 18:14:49 [Info]: BlackLight Engine 1.0.42 initialized
08/08/06 18:14:49 [Info]: OS: 5.1 build 2600 ()
08/08/06 18:14:50 [Note]: 7019 4
08/08/06 18:14:50 [Note]: 7005 0
08/08/06 18:14:54 [Note]: 7006 0
08/08/06 18:14:54 [Note]: 7011 1148
08/08/06 18:14:55 [Note]: 7026 0
08/08/06 18:14:55 [Note]: 7026 0
08/08/06 18:15:12 [Note]: FSRAW library version 1.7.1019
08/08/06 18:15:31 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\DMYEV.EXE
08/08/06 18:15:31 [Note]: 7002 32
08/08/06 18:15:31 [Note]: 7003 1
08/08/06 18:15:32 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\CSMOT.EXE
08/08/06 18:15:32 [Note]: 7002 32
08/08/06 18:15:32 [Note]: 7003 1
08/08/06 18:15:35 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\{42742~1.EXE
08/08/06 18:15:36 [Note]: 7002 5
08/08/06 18:15:36 [Note]: 7003 1
08/08/06 18:15:38 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\{C4DD4~1.EXE
08/08/06 18:15:39 [Note]: 7002 5
08/08/06 18:15:39 [Note]: 7003 1
08/08/06 18:15:42 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\{F6359~1.EXE
08/08/06 18:15:42 [Note]: 7002 5
08/08/06 18:15:42 [Note]: 7003 1
08/08/06 18:15:44 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\{E01F6~1.EXE
08/08/06 18:15:45 [Note]: 7002 5
08/08/06 18:15:45 [Note]: 7003 1
08/08/06 18:15:47 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\{5ECE5~1.EXE
08/08/06 18:16:29 [Note]: 7007 0

BC AdBot (Login to Remove)

 


m

#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 10 August 2006 - 07:06 AM

c:\WINDOWS\SYSTEM32\DMYEV.EXE
c:\WINDOWS\SYSTEM32\CSMOT.EXE
c:\WINDOWS\SYSTEM32\{42742~1.EXE
c:\WINDOWS\SYSTEM32\{C4DD4~1.EXE
c:\WINDOWS\SYSTEM32\{F6359~1.EXE
c:\WINDOWS\SYSTEM32\{E01F6~1.EXE
c:\WINDOWS\SYSTEM32\{5ECE5~1.EXE


Run Blacklight and choose to rename all of those listed above.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:


c:\WINDOWS\SYSTEM32\DMYEV.EXE.ren
c:\WINDOWS\SYSTEM32\CSMOT.EXE.ren
c:\WINDOWS\SYSTEM32\{42742~1.EXE.ren
c:\WINDOWS\SYSTEM32\{C4DD4~1.EXE.ren
c:\WINDOWS\SYSTEM32\{F6359~1.EXE.ren
c:\WINDOWS\SYSTEM32\{E01F6~1.EXE.ren
c:\WINDOWS\SYSTEM32\{5ECE5~1.EXE.ren


Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please email the files to me at:

didom[AT]malware-research.co.uk (replace [AT] with @)

Thank you! :thumbsup:

Please post back here after you did that.

I will review the files when they come in and post back new instructions after I researched them.

#3 The Colonel

The Colonel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 10 August 2006 - 09:10 AM

Thank you for your help.

But before I do what you ask. I have a question.

When you say "rename the files"...Rename them to what? File 1, File 2 etc. Or something specific?

Thanks!

#4 The Colonel

The Colonel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 10 August 2006 - 06:03 PM

OK I did what you asked and mailed you the files.

Thanks!

#5 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 11 August 2006 - 07:52 AM

Your CAB file was empty. So probably the renaming went wrong. I need another BlackLight log:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

#6 The Colonel

The Colonel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 11 August 2006 - 01:00 PM

Didn't find too much in this one. Does this help?



08/11/06 13:56:14 [Info]: BlackLight Engine 1.0.42 initialized
08/11/06 13:56:14 [Info]: OS: 5.1 build 2600 ()
08/11/06 13:56:16 [Note]: 7019 4
08/11/06 13:56:16 [Note]: 7005 0
08/11/06 13:56:22 [Note]: 7006 0
08/11/06 13:56:22 [Note]: 7011 1164
08/11/06 13:56:23 [Note]: 7026 0
08/11/06 13:56:23 [Note]: 7026 0
08/11/06 13:56:39 [Note]: FSRAW library version 1.7.1019
08/11/06 13:57:35 [Note]: 7007 0

#7 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 11 August 2006 - 01:06 PM

Can you please tell me if these really are there:

c:\WINDOWS\SYSTEM32\DMYEV.EXE.ren
c:\WINDOWS\SYSTEM32\CSMOT.EXE.ren
c:\WINDOWS\SYSTEM32\{42742~1.EXE.ren
c:\WINDOWS\SYSTEM32\{C4DD4~1.EXE.ren
c:\WINDOWS\SYSTEM32\{F6359~1.EXE.ren
c:\WINDOWS\SYSTEM32\{E01F6~1.EXE.ren
c:\WINDOWS\SYSTEM32\{5ECE5~1.EXE.ren

#8 The Colonel

The Colonel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 11 August 2006 - 04:56 PM

Just the last one.

Rest are gone....

#9 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 12 August 2006 - 05:24 AM

Really strange! Maybe your AV detected and deleted them...

1. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
2. Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

3. Start HijackThis and perform a new scan.

4. Use the Add Reply button to post your new logs back here along withas details of any problems you encountered performing the above steps and I will review it when it comes in.

#10 The Colonel

The Colonel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 13 August 2006 - 03:59 PM

Ok here you go....

First is panda and 2nd is HJT..






Incident Status Location

Adware:adware/searchtheweb Not disinfected c:\windows\system32\cache\mswinstall.exe
Spyware:spyware/whazit Not disinfected c:\windows\system32\kyf.dat
Adware:adware/savenow Not disinfected c:\windows\system32\datastore.dll
Adware:adware/transponder Not disinfected c:\windows\inf\Pynix.inf
Adware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Stop PopUps On Your Computer.url
Adware:adware/delfinmedia Not disinfected c:\keys.ini
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Steve & Amie\Application Data\tvmuknwrd.dll
Adware:adware/sbsoft Not disinfected c:\windows\rdt.ini
Adware:adware/beginto Not disinfected c:\windows\system32\cache32_rtneg
Adware:adware/hotoffers Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:Adware/SideSearch Not disinfected C:\WINDOWS\system32\sset.exe[²κΗ.dll]
Spyware:Spyware/ClearSearch Not disinfected C:\WINDOWS\system32\sset.exe[ClrSchUninstall_78_86.exe]
Spyware:Spyware/Omi Not disinfected C:\WINDOWS\system32\msfdje.gif
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{5ECE5~1.EXE.ren[KillAndClean.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{5ECE5~1.EXE.ren[KillAndCleanUpdate.exe]
Virus:Trj/Downloader.BJF Disinfected C:\WINDOWS\system32\Cache\skh2.exe
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Steve & Amie\Cookies\steve & amie@realmedia[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Steve & Amie\Cookies\steve & amie@ads.pointroll[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Steve & Amie\Cookies\steve & amie@statcounter[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Steve & Amie\Cookies\steve & amie@bluestreak[1].txt




Logfile of HijackThis v1.99.1
Scan saved at 4:55:40 PM, on 8/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\ewido anti-spyware 4.0\ewido.exe
E:\PROGRA~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\Fast.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\HijackThis.exe
E:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "E:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [dmchy.exe] C:\WINDOWS\System32\dmchy.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "E:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#11 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 13 August 2006 - 05:09 PM

First is panda and 2nd is HJT..

You don't have the Kaspersky On-line Scanner log?

-----------------------------

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Scan again with HijackThis and check the following items:
O4 - HKLM\..\Run: [dmchy.exe] C:\WINDOWS\System32\dmchy.exe
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #3

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these files (if they are still there):
c:\windows\system32\cache\mswinstall.exe
c:\windows\system32\kyf.dat
c:\windows\system32\datastore.dll
c:\windows\inf\Pynix.inf
c:\keys.ini
C:\Documents and Settings\Steve & Amie\Application Data\tvmuknwrd.dll
c:\windows\rdt.ini
c:\windows\system32\cache32_rtneg
C:\WINDOWS\system32\sset.exe
C:\WINDOWS\system32\msfdje.gif
C:\WINDOWS\system32\Cache\skh2.exe
C:\WINDOWS\system32\{5ECE5~1.EXE.ren
C:\WINDOWS\system32\{5ECE5~1.EXE.ren
C:\WINDOWS\System32\dmchy.exe
c:\documents and settings\all users\favorites\Stop PopUps On Your Computer.url



Reboot your computer normally.

Step #5

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#12 The Colonel

The Colonel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 13 August 2006 - 08:02 PM

Working on your directions..removed all of them...

But Kaspersky found a bunch..win32.agent.uj, win32trojan.small etc....



----------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 13, 2006 8:56:13 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/08/2006
Kaspersky Anti-Virus database records: 214604
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 23681
Number of viruses found: 19
Number of infected objects: 48 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:04:22

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-08-13_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F7D7A4D.htm Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31AD1576.zip/a.class Infected: Trojan.Java.ClassLoader.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31AD1576.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31AD1576.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.u skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31AD1576.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31AD1576.zip CryptFF: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31AD1576.cla Infected: Trojan.Java.ClassLoader.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\104A52F4.cla Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\40712ABA.cla Infected: Trojan.Java.ClassLoader.u skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\494947AF.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F47077B.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F4A3178.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F4D5B74.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\41D76357.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\114A5EC6.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04476E1A.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44502EEF.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7D181668.dll Infected: Trojan-Downloader.Win32.ConHook.r skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\789D545C.dll Infected: Trojan-PSW.Win32.Sinowal.m skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78A07E59.dll Infected: Trojan-PSW.Win32.Sinowal.m skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\545C44BA Infected: Trojan-Downloader.HTML.Agent.aq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\545C44BA.exe Infected: Trojan-PSW.Win32.Sinowal.m skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00ED2A1C.exe Infected: Trojan.Win32.Puper.bx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02D41A05.exe Infected: Trojan.Win32.Qhost.hf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02EA3FEC.exe Infected: not-a-virus:AdWare.Win32.FindSpy.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02EE69E8.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve & Amie\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steve & Amie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve & Amie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve & Amie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve & Amie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve & Amie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steve & Amie\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\Steve & Amie\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP798\A0070069.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP798\A0070074.exe Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP798\A0070076.exe Infected: Trojan.Win32.Puper.bx skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP798\A0070077.exe Infected: Trojan.Win32.Qhost.hf skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP798\A0070078.exe Infected: not-a-virus:AdWare.Win32.FindSpy.a skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP798\A0070079.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP799\A0070091.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP799\A0070095.exe Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP805\A0070283.exe/data0002 Infected: Trojan.Win32.Registrator.b skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP805\A0070283.exe/data0003 Infected: Trojan-Downloader.Win32.Small.aly skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP805\A0070283.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP805\A0070303.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Sidesearch.c skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP805\A0070303.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.ClearSearch.f skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP805\A0070303.exe/stream Infected: not-a-virus:AdWare.Win32.ClearSearch.f skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP805\A0070303.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP805\change.log Object is locked skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP800\A0070104.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP800\A0070116.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP800\A0070121.exe Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP800\A0070127.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP800\A0070132.exe Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP800\A0070136.EXE Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP800\A0070137.EXE Infected: Trojan-Downloader.Win32.Agent.uj skipped
E:\System Volume Information\_restore{0D6867C7-86D0-4796-9CA7-BD6CAE445EC2}\RP805\change.log Object is locked skipped
E:\Program Files\Norton AntiVirus\Savrt\0923NAV~.TMP Object is locked skipped
E:\Program Files\Norton AntiVirus\Savrt\0704NAV~.TMP Object is locked skipped
E:\Program Files\Norton AntiVirus\Savrt\0231NAV~.TMP Object is locked skipped
E:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
E:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
E:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

Scan process completed.

#13 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 14 August 2006 - 06:31 AM

Well, most the files are in Quarantine (Norton) or in your System Restore Points. So we'll clean them:

You have a large number of files in Quarantine (Norton) and I want you to delete them all.

Before you begin: You must be in the Finder. Click the desktop or the Finder icon in the Dock to be in the Finder.

To delete the QuarantineFile.qtn file:
  • On the Go menu, click Computer.
  • Double-click your hard disk.
  • Double-click Library.
  • Double-click Application Support.
  • Double-click Norton Solutions Support.
  • Double-click Norton AntiVirus.
  • Delete the QuarantineFile.qtn file.
  • Type your administrator password, then click OK.
  • Open Norton AntiVirus.
  • Click Quarantine.
    There should not be any files left in Quarantine.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • Check "Turn off System Restore".
    • Click Apply, and then click OK.
  • Reboot your computer.

  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check "Turn off System Restore".
    • Click Apply, and then click OK.
Reboot your computer.

Step #5

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#14 The Colonel

The Colonel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 14 August 2006 - 07:08 PM

Thanks for your response!

Seems like they keep appearing.....



Incident Status Location
Adware:adware/beginto Not disinfected c:\windows\system32\cache32_rtneg
Adware:adware/sbsoft Not disinfected Windows Registry
Adware:adware/hotoffers Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Adware:adware/searchtheweb Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Spyware:spyware/virtumonde Not disinfected Windows Registry

#15 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 15 August 2006 - 06:02 AM

First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode.
  • Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  • Post the contents of the ActiveScan report, the results of the ewido report scan and a fresh HijackThis log.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users