Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Spywarequake And Spy Sherrif


  • Please log in to reply
9 replies to this topic

#1 Spectre

Spectre

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 13 August 2006 - 01:52 AM

I had spywarequake and spy sherrif on my computer. I used your detailed instructions to remove them, including using roguescanfix and smitrem. I am no longer getting the pop-up messages that i am infected in my system tray.

The computer is still running really unrealistically slow, like it never used to before. (as in i can count to thirty before the start menu opens after I click it) though the computer sleed up a little bit after it has been on for an hour or two.

I have run the most recent versions of spybot S+D, ad-aware, symantec antivirus, macafee stinger, and house call antivirus. (as a sidenote i tried to run panda twice but it crashed in the middle both times, though this may have been from overheating?) I think I still have something though, which is why I am posting a hijackthis log.

As a last mention, during all of this i also got the "windows cannot find the locally stored profile" error. From what i read on this on microsoft and elsewhere, as far as I know the only solution is to make a new profile which I did. And I guess I'm thankful that i can still get to the thing in my other profile by exploring. As such some of the start-up thing are things i would normally have of anyway, but in dealing with all the malware I really haven't caught up with it all yet.

Logfile of HijackThis v1.99.1
Scan saved at 2:40:27 AM, on 8/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe

Thank a million in advance, and also for your online walkthoughs, they have been a huge help.

Edit: symantec still says i have spysherrif, but it cant delet it without a reboot, but after each reboot it comes back anyway. and during all of this im still getting many trojans. symantec catches them all, quarantines them and then I scessfully delet them, yet they are still back each time.

Edited by Spectre, 13 August 2006 - 09:46 AM.


BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 13 August 2006 - 06:20 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

I see Viewpoint installed. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Step #2

Scan again with HijackThis and check the following items:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Then reboot your computer.

Step #3

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step #3

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Start HijackThis and perform a new scan.

Use the Add Reply button to post your new logs back here along withas details of any problems you encountered performing the above steps and I will review it when it comes in.

#3 Spectre

Spectre
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 14 August 2006 - 10:06 AM

ok. I had veiwpoint manager and media player and those were removed without error.

fixed the selected items with hijackthis.

rebooted, reboot went faster then normal but after login was still slow, like it was caught processing something, and I also got an end program that is not responding message the program was called "Run a Dll as an App."

after waiting a while for the computer to catch up i cleared the cookies and temp files without incedent and ran kaspersky, which found a lot of things. The log for it is longer than you guys allow for 6 posts. most of it seems to be files i no longer have access to as they are in the profile that is "corrupted" Heres a sampling of most of the types of things i found in the log:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, August 14, 2006 9:33:10 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/08/2006
Kaspersky Anti-Virus database records: 214616
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 147137
Number of viruses found: 2
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:04:24


Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\198f54e3de8fe317ecb671068884bc4f_a90f8a38-ade8-46e4-9e68-4ce75bebd1db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8dac938deeb709e8e08e332c899b8504_a90f8a38-ade8-46e4-9e68-4ce75bebd1db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030410\0102\0102\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07200000\47FAA9A7.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08900000\4CDE3187.VBN Infected: Trojan-Downloader.Win32.Zlob.yt skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Michael\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\.gtk-bookmarks Object is locked skipped
C:\Documents and Settings\Mike\.limewire\.NetworkShare\LimeWireWin4.10.3.exe Object is locked skipped
C:\Documents and Settings\Mike\.limewire\.NetworkShare\LimeWireWin4.10.4.exe Object is locked skipped
C:\Documents and Settings\Mike\.limewire\.NetworkShare\LimeWireWin4.10.5.exe Object is locked skipped
C:\Documents and Settings\Mike\.limewire\.NetworkShare\LimeWireWin4.10.9.exe Object is locked skipped
C:\Documents and Settings\Mike\.limewire\.NetworkShare\LimeWireWin4.9.37.exe Object is locked skipped
C:\Documents and Settings\Mike\.limewire\49splashpro.png Object is locked skipped
C:\Documents and Settings\Mike\.limewire\createtimes.cache Object is locked skipped
C:\Documents and Settings\Mike\.limewire\fileurns.bak Object is locked skipped
C:\Documents and Settings\Mike\.limewire\fileurns.cache Object is locked skipped
C:\Documents and Settings\Mike\.limewire\filters.props Object is locked skipped
...
C:\Documents and Settings\Mike\Application Data\.gaim\accels Object is locked skipped
C:\Documents and Settings\Mike\Application Data\.gaim\accounts.xml Object is locked skipped
C:\Documents and Settings\Mike\Application Data\.gaim\blist.xml Object is locked skipped
C:\Documents and Settings\Mike\Application Data\.gaim\icons\28e2b6a3 Object is locked skipped
C:\Documents and Settings\Mike\Application Data\.gaim\icons\2b5fed3e Object is locked skipped
...
C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Cookies\mike@35487201[1].txt Object is locked skipped
C:\Documents and Settings\Mike\Cookies\mike@356972594[1].txt Object is locked skipped
C:\Documents and Settings\Mike\Cookies\mike@45813911[1].txt Object is locked skipped
C:\Documents and Settings\Mike\Cookies\mike@50starscasino[1].txt Object is locked skipped
C:\Documents and Settings\Mike\Cookies\mike@ad.yieldmanager[1].txt Object is locked skipped
...
C:\Documents and Settings\Mike\Desktop\Adobe Photoshop CS.lnk Object is locked skipped
C:\Documents and Settings\Mike\Desktop\email'.txt Object is locked skipped
C:\Documents and Settings\Mike\Desktop\FormZ RadioZity MP v5.0.0.lnk Object is locked skipped
C:\Documents and Settings\Mike\Desktop\Frozen Throne.lnk Object is locked skipped
C:\Documents and Settings\Mike\Desktop\games\ADOM\adom_dat\adom.cfg Object is locked skipped
C:\Documents and Settings\Mike\Desktop\games\ADOM\adom_dat\adom.cnt Object is locked skipped
C:\Documents and Settings\Mike\Desktop\games\ADOM\adom_dat\adom.kbd Object is locked skipped
C:\Documents and Settings\Mike\Desktop\games\ADOM\adom_dat\adom.ver Object is locked skipped
...
C:\Documents and Settings\Mike\Favorites\Desktop.ini Object is locked skipped
C:\Documents and Settings\Mike\Favorites\Free AOL & Unlimited Internet.lnk Object is locked skipped
C:\Documents and Settings\Mike\Favorites\Links\Free AOL & Unlimited Internet.lnk Object is locked skipped
C:\Documents and Settings\Mike\Favorites\Online Security Test.url Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Adobe\Acrobat\6.0\Cache\AcroFnt06.lst Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Apple Computer\iTunes\iTunes.pref Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Apple Computer\QuickTime\downloads\00\13\0d733e1e-73d0165a-6da5d3f3-0122358e.qtch Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Apple Computer\QuickTime\downloads\01\11\1ba3a96f-97fa07c5-c043488d-5de1d32d.qtch Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Apple Computer\QuickTime\downloads\02\02\223f0cc9-6b277d8a-caf45839-eb0bd96b.qtch Object is locked
...
C:\Documents and Settings\Mike\My Documents\Adlm\3DSMAX7ENURegEmail.xml Object is locked skipped
C:\Documents and Settings\Mike\My Documents\Adlm\3DSMAX7ENURegInfo.html Object is locked skipped
C:\Documents and Settings\Mike\My Documents\Adobe\Premiere Pro\1.5\Adobe Premiere Pro Auto-Save\transformer-1.prproj Object is locked skipped
C:\Documents and Settings\Mike\My Documents\Adobe\Premiere Pro\1.5\Adobe Premiere Pro Auto-Save\transformer-2.prproj Object is locked skipped
C:\Documents and Settings\Mike\My Documents\Adobe\Premiere Pro\1.5\Adobe Premiere Pro Auto-Save\transformer-3.prproj Object is locked skipped
C:\Documents and Settings\Mike\My Documents\Adobe\Premiere Pro\1.5\Adobe Premiere Pro Auto-Save\transformer-4.prproj Object is locked skipped
...
C:\Documents and Settings\Mike\NetHood\2005 Docs (Annas Cptr) on Anna (Anna)\Desktop.ini Object is locked skipped
C:\Documents and Settings\Mike\NetHood\2005 Docs (Annas Cptr) on Anna (Anna)\target.lnk Object is locked skipped
C:\Documents and Settings\Mike\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\ntuser.ini Object is locked skipped
C:\Documents and Settings\Mike\Recent\000-red_hot_chili_peppers-stadium_arcadium-(proper)-2cd-2006.m3u.lnk Object is locked skipped
C:\Documents and Settings\Mike\Recent\01-19-2000 (Soulchild Remix).mp3.lnk Object is locked skipped
C:\Documents and Settings\Mike\Recent\010.jpg.lnk Object is locked skipped
C:\Documents and Settings\Mike\Recent\03 - Three Days Grace - Animal I Have Become.mp3.lnk Object is locked skipped
C:\Documents and Settings\Mike\Recent\035 - Gnarls Barkley - Crazy.MP3.lnk Object is locked skipped
C:\Documents and Settings\Mike\Recent\054.jpg.lnk Object is locked skipped
C:\Documents and Settings\Mike\Recent\09.GIF.lnk Object is locked skipped
C:\Documents and Settings\Mike\Recent\101MSDCF.lnk Object is locked skipped
...
C:\Documents and Settings\Mike\SendTo\AIM Buddy.lnk Object is locked skipped
C:\Documents and Settings\Mike\SendTo\AIM Share.lnk Object is locked skipped
C:\Documents and Settings\Mike\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\Mike\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\Mike\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\Mike\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\Mike\SendTo\My Documents.mydocs Object is locked skipped
C:\Documents and Settings\Mike\SendTo\RecordNow!.RecordNowSendToExt Object is locked skipped
C:\Documents and Settings\Mike\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\Mike\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\Mike\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\Mike\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\Mike\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\Mike\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\Mike\Start Menu\Programs\Accessories\Address Book.lnk Object is locked skipped
...
C:\Documents and Settings\Mike\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\Mike\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\Mike\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\Mike\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Mike\UserData\YBMFU52J\oWindowsUpdate[1].xml Object is locked skipped
C:\Documents and Settings\Mike\zguicfgw.dat Object is locked skipped
C:\Documents and Settings\Mike\zsnesw.cfg Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Drivers\SonyUSB\sonyhc.cat Object is locked skipped
C:\Drivers\SonyUSB\sonyhc2kdisk.inf Object is locked skipped
C:\Drivers\SonyUSB\sonyhcaudio2k.inf Object is locked skipped
C:\Drivers\SonyUSB\sonyhcusb2k.inf Object is locked skipped
...
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
...
C:\VT AntiVirus\Symantec Installer\0x0409.ini Object is locked skipped
C:\VT AntiVirus\Symantec Installer\Data1.cab Object is locked skipped
C:\VT AntiVirus\Symantec Installer\grc.dat Object is locked skipped
C:\VT AntiVirus\Symantec Installer\instmsiw.exe Object is locked skipped
C:\VT AntiVirus\Symantec Installer\Setup.exe Object is locked skipped
C:\VT AntiVirus\Symantec Installer\Setup.ini Object is locked skipped
C:\VT AntiVirus\Symantec Installer\Symantec AntiVirus.msi Object is locked skipped
C:\VT AntiVirus\Symantec Installer\VDefHub.zip Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
...
C:\WINDOWS\inf\sonypvs3audio.inf Object is locked skipped
C:\WINDOWS\inf\sonypvs3usb.inf Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0B9B23AC-DA96-429B-9E30-966CFED7CF32}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
...
C:\work\portfolio\year two\three rooms\modifiedroof4fixedfloorwall.skp Object is locked skipped
C:\work\portfolio\year two\three rooms\modifiedroofone.skp Object is locked skipped
C:\work\portfolio\year two\three rooms\modifiedroofstairs.skp Object is locked skipped
C:\work\portfolio\year two\three rooms\plan.skp Object is locked skipped
C:\work\portfolio\year two\three rooms\withground.skp Object is locked skipped
C:\work\portfolio\year two\transitionhouse\new trans style.skp Object is locked skipped
...


the dots indicate where I have removed pages and pages of similar entries.

here is the new hijackthis log as well:


Logfile of HijackThis v1.99.1
Scan saved at 9:34:19 AM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 14 August 2006 - 10:19 AM

please read this: http://articles.techrepublic.com.com/5100-...11-5225409.html

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#5 Spectre

Spectre
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 14 August 2006 - 01:20 PM

followed the tech republic steps without incident.

here is the panda scan log:


Incident Status Location

Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\5dlkfwd3.default\cookies.txt[.com.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\5dlkfwd3.default\cookies.txt[.centrport.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\5dlkfwd3.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\5dlkfwd3.default\cookies.txt[.doubleclick.net/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Michael\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Michael\Desktop\smitRem.exe[smitRem/Process.exe]
Hacktool:Hacktool/Hammer Not disinfected C:\Program Files\Robster Productions\Halflife Logo Creator\HLC.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Roguescanfix\Process.exe


and the new hijack this:


Logfile of HijackThis v1.99.1
Scan saved at 2:18:48 PM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 15 August 2006 - 05:50 AM

Please double-click on My Computer and locate the file "C:\Program Files\WebDrive\wdservice.exe". Right-click on it and choose "Properties", then click on the "Version" tab at the top. Click on "Comments", "Company", "File Version", and "Internal Name" and please post whatever the text in the box immediately to the right says for each.

Please tell me how your computer is running!

#7 Spectre

Spectre
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 16 August 2006 - 06:24 PM

Hi sorry, i didnt respond sooner, i moved and had to get internet set-up before i could respond.

as for wdservice.exe, i found the file but when i right clicked for properties there was no version tab at the top, just "general", "compatability", and "summary"

as for how my computer is running. much better today (though i didnt turn it on yesturday) no messages about trojans or anything. but it is still a little slow for the first 20 minutes or so.

Though my old profile is completely "access denied" so i've pretty much given up on recoving any of the files in it (its not that big a loss, i save most things on the c drive and not in the my documents folder or on the desktop anyway).

The last strangle thing recently was that there was a new user profile on my computer called "asp.net computer A", or something similar and it was password protected so i deleted it and ran a virus scan and got nothing so i have no idea what that was.

thanks for your continued help.

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 18 August 2006 - 03:23 AM

This log looks clean!
  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
  • This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

    Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!!

    Please post back if you are still having any problems....

    Posted Image


#9 Spectre

Spectre
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 18 August 2006 - 07:25 PM

no problems its been working great!

thanks for your continued help.

#10 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 19 August 2006 - 03:18 AM

You're welcome :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users