Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Netsky.d / Tarno.q / Winfixer / Pcacme Infections


  • This topic is locked This topic is locked
14 replies to this topic

#1 Taymar

Taymar

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 27 August 2006 - 07:03 PM

Hello

A friend has asked me to sort out her pc as it had been hanging at start-up. Sometimes it would get to desktop, but then freeze. I found that CLMLService.exe was running and giving a CPU usage of 98.46%. I have stopped this from running.

After running several anti-spyware / antivirus packages, I have found a number of infections. Although the packages say that they have been removed, when I run them again, they are found again.

TrojanHunter found - Adware.Hotbar.SmartShopper.100 & Adware.MyBar.100

Norton Internet Security 2006 found - Dialler.AdultChat

SpyBot found - 84 problems, but when run again without scanning for negligible risks, none found

BitDefender found - infostealer tarno.q Trojan.Downloader.6087 (email subject: Payment Receipt form Paycom Support file.10915104.exe) And Win32.Netsky.D@mm And Adware.MyWay.1

When I run BitDefender, I get pop-ups (supposedly from Norton) pertaining to WinFixer and also to NetskyD. These aren't found when I run Norton scans. I then run Symantec's W32.Netsky FixTool 1.12.0 and didn't find the Netsky.d virus.

McAfee Stinger found nothing.

As BitDefender said that disinfection of NetskyD and Trojan.Downloader failed, I am unsure what to do to get rid of them, other than formatting the machine. I have posted the HJT log below. Any advice will be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 01:06:03, on 28/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Softwin\BitDefender9\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdswitch.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=MG1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\vetredir.dll' missing
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 PM

Posted 30 August 2006 - 07:02 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
Despite the issues that you are having, your hijackthis log is clean. So we're going to have to look at a more detailed log.

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Taymar

Taymar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 30 August 2006 - 08:10 PM

Hello Sam

Thank you for your assistance.

I have posted the ComboFix log below. Underneath that I have added the HJT log from today.

Just to note that when I ran ComboFix, I got a pop-up from TrojanHunter saying that I have been infected with prorat.256... do I want to clean it from the memory? I cancelled this.

Cheers,

Tay

pip - 06-08-31 2:59:46.62
ComboFix 06.08.27BT - Running from: C:\TaySecurity

((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))


2006-08-26 18:59 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-08-26 18:59 42,496 --a------ C:\WINDOWS\system32\swreg.exe
2006-08-26 18:59 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-08-26 18:59 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-08-17 17:09 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll
2006-08-17 17:00 81,920 --a------ C:\WINDOWS\system32\W32N50.dll
2006-08-17 17:00 17,134 --a------ C:\WINDOWS\system32\PCANDIS5.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-31 02:54 -------- d-------- C:\Program Files\HijackThis
2006-08-31 02:53 -------- d-------- C:\Program Files\OldHJT
2006-08-30 05:35 298486 --a------ C:\Program Files\combofix.exe
2006-08-30 05:00 85504 --a------ C:\Program Files\VundoFix(2).exe
2006-08-27 06:40 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-26 21:14 -------- d-------- C:\Documents and Settings\pip\Application Data\BitDefender
2006-08-26 20:58 -------- d-------- C:\Program Files\Common Files\Softwin
2006-08-26 20:57 -------- d-------- C:\Program Files\Softwin
2006-08-26 20:57 -------- d-------- C:\Program Files\Common Files
2006-08-26 18:59 -------- d-------- C:\Program Files\SmitfraudFix
2006-08-26 17:36 -------- d-------- C:\Program Files\TrojanHunter 4.5
2006-08-26 06:52 -------- d-------- C:\Program Files\RegCleaner
2006-08-26 06:52 -------- d-------- C:\Program Files\Lavasoft
2006-08-26 06:52 -------- d-------- C:\Program Files\iolo
2006-08-26 06:52 -------- d-------- C:\Documents and Settings\pip\Application Data\Lavasoft
2006-08-25 02:24 -------- d-------- C:\Program Files\WinRAR
2006-08-25 02:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-25 02:24 -------- d-------- C:\Program Files\Microsoft Works
2006-08-25 02:24 -------- d-------- C:\Program Files\FreeRIP2
2006-08-25 02:24 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-25 02:08 -------- d-------- C:\Program Files\CleanUp!
2006-08-25 01:56 -------- d-------- C:\Program Files\Belarc
2006-08-24 06:34 -------- d-------- C:\Program Files\Yahoo!
2006-08-24 05:51 -------- d-------- C:\Program Files\Wanadoo
2006-08-18 00:34 -------- d-------- C:\Program Files\Internet Explorer
2006-08-17 22:28 -------- d-------- C:\Program Files\Norton Internet Security
2006-08-17 17:01 278528 --a------ C:\Program Files\Common Files\FDEUnInstaller.exe
2006-08-16 16:49 -------- d-------- C:\Program Files\Securitoo
2006-07-29 19:18 -------- d-------- C:\Documents and Settings\pip\Application Data\OLYMPUS
2006-07-29 19:07 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-29 19:06 -------- d-------- C:\Program Files\OLYMPUS
2006-07-29 19:04 -------- d-------- C:\Program Files\PIXELA
2006-07-28 08:32 7005 --a------ C:\Program Files\Eula.txt
2006-07-27 15:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-12 12:59 3278400 --a------ C:\Program Files\procexp.exe
2006-07-11 00:19 -------- d-------- C:\Program Files\Symantec
2006-07-10 19:20 -------- d-------- C:\Documents and Settings\pip\Application Data\Symantec
2006-07-10 19:15 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-06-08 13:08 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-06-08 13:08 161472 --a------ C:\WINDOWS\system32\SymRedir.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PCMService"="\"c:\\Apps\\Powercinema\\PCMService.exe\""
"ACTIVBOARD"="c:\\apps\\ABoard\\ABoard.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\FirstStart.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdmcon.exe\""
"BDOESRV"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdoesrv.exe\""
"BDNewsAgent"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdnagent.exe\""
"BDSwitchAgent"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdswitch.exe\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"WOOKIT"="C:\\PROGRA~1\\Wanadoo\\Shell.exe appLaunchClientZone.shl|PARAM= cnx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - pip.job

Completion time: 06-08-31 3:01:04.90
ComboFix.txt
ComboFix2.txt

:thumbsup:
HJT log 31/08/06

Logfile of HijackThis v1.99.1
Scan saved at 02:54, on 06-08-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Program Files\Softwin\BitDefender9\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdswitch.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=MG1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\vetredir.dll' missing
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 PM

Posted 31 August 2006 - 08:07 AM

Ok, let's start with the good news. Your Combofix log is clean and I don't find any signs of an active malware infection. There is a little cleaning up that can be done with Hijackthis.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=MG1



Now let's work through the rest of the issues.

Some of your problems are coming from having two antivirus programs running. Best case scenario is that this just causes extreme slowness as those programs drain your computer's resources. But they can also conflict with each other as they both run real time protection in the background and may even cause your computer to crash. Please uninstall either Norton or Bit Defender so that you only have one antivirus.

You mentioned that Trojan Hunter had found some malware. Was it successfully able to remove it?

Please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Taymar

Taymar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 31 August 2006 - 11:03 AM

Thanks Sam

I have cleared those 4 items using HJT, and have posted the new log below.

I ran Trojan Hunter again, and it said it found Trojan.Generic and Worm.QIV.100. I have removed these with TH.

I have also uninstalled BitDefender; I hadn't intended to use it as an antivrus program, I just wanted to use it for scanning for malware. In the past I have found that BitDefender finds things which Norton and others can't. Also to note, I haven't been online with the 'infected' pc since it has been given to me to fix.

Thanks for your help. :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 17:53, on 06-08-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\vetredir.dll' missing
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 PM

Posted 31 August 2006 - 01:26 PM

Oh I agree with you on Bit Defender. I find it to be much better than Norton.
Just for future reference you can get Bit Defender as on demand scanner only, which won't conflict with Norton.

http://www.bitdefender.com/PRODUCT-14-en--...ee-Edition.html

I don't recommend keeping it installed, but it's good to get a quick clean and a second opinion.


==========


Back to your log. It looks clean to me.
I see you have Ewido installed. It is very similar to Trojan Hunter as far as the malware that it detects and removes. Let's see if it picks up anything that we need to address.


Please open up Ewido Anti-spyware
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware, Do Not run a scan just yet, we will shortly.

You may want to print out these instructions as the rest of this fix will take place in safe mode.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Clean out your Temporary Internet files
  • Close Internet Explorer and quit any instances of Windows Explorer.
  • Click Start -> Control Panel and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
IMPORTANT: Close all windows and do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
  • Lauch Ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post the results of the Ewido scan report.
Let me know how things are working now and any problems/issues that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Taymar

Taymar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 31 August 2006 - 05:22 PM

Hi

I ran Ewido, and it didn't find anything, so therefore, no report to post.

I have run BitDefender again (after re-installing) and it still says that I have Win32.Netsky.D@mm and Trojan.Downloader.6087. Disinfection fails. Likewise when I run BitDefender I got supposed Norton pop-ups telling me that I have pcacme virus and WinFixer.

Is BitDefender just being awkward, or should I be worried that something is still lurking?

Cheers

Tay

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 PM

Posted 01 September 2006 - 08:36 AM

I thought that we had agreed that BitDefender and Norton together is not a good thing. If you want to run Bit Defender, you should at least disable Norton first. It sounds like to me that they are detecting each other or something that's already in quarantine and giving you a false postive.

Can you post a log from Bit Defender so I can see exactly what it is finding?

Edited by Buckeye_Sam, 01 September 2006 - 08:37 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Taymar

Taymar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 01 September 2006 - 12:17 PM

Hello

Sorry... thought I had disabled Norton.

I have disabled Norton and run BitDefender again. The log is below. When running BD, with Norton disabled, I still get Norton pop-ups saying that I WinFixer. How can this happen if Norton is disabled?

Thanks


//-----------------------------------------------------------------
//
// Product: BitDefender 9 Internet Security
// Version: 9.0
//
// Created on: 01/09/2006 17:54:17
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
Folders : 4651
Files : 498737
Archives : 7793
Packed files : 55209
Identified viruses : 2
Infected files : 4
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 0
Renamed files : 0
I/O errors : 27
Scan time : 01:05:12
Scan speed (files/sec) : 127

Virus definitions : 265633
Scan plugins : 15
Archive plugins : 42
Unpack plugins : 4
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1157126057.log


Summary:

C:\Documents and Settings\pip\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Payment Receipt][From: Paycom Support]=>FILE.10915104.exe Infected: Trojan.Downloader.6087
C:\Documents and Settings\pip\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Payment Receipt][From: Paycom Support]=>FILE.10915104.exe Disinfection failed
C:\Documents and Settings\pip\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Payment Receipt][From: Paycom Support]=>FILE.10915104.exe Move failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>(Quarantine-2)=>[Subject: Re: Re: Document][Date: Wed, 1 Feb 2006 21:18:58 +0000]=>(MIME part)=>your_document.pif Infected: Win32.Netsky.D@mm
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>(Quarantine-2)=>[Subject: Re: Re: Document][Date: Wed, 1 Feb 2006 21:18:58 +0000]=>(MIME part)=>your_document.pif Disinfection failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>(Quarantine-2)=>[Subject: Re: Re: Document][Date: Wed, 1 Feb 2006 21:18:58 +0000]=>(MIME part)=>your_document.pif Move failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>(Quarantine-2)=>[Subject: Re: Your text][Date: Wed, 1 Feb 2006 13:06:06 +0000]=>(MIME part)=>your_text.pif Infected: Win32.Netsky.D@mm
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>(Quarantine-2)=>[Subject: Re: Your text][Date: Wed, 1 Feb 2006 13:06:06 +0000]=>(MIME part)=>your_text.pif Disinfection failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>(Quarantine-2)=>[Subject: Re: Your text][Date: Wed, 1 Feb 2006 13:06:06 +0000]=>(MIME part)=>your_text.pif Move failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>(Quarantine-2)=>(base64) Infected: Win32.Netsky.D@mm
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>(Quarantine-2)=>(base64) Disinfection failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>(Quarantine-2)=>(base64) Move failed

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 PM

Posted 01 September 2006 - 09:09 PM

That means that Norton is not completely disabled. Let's work through the Bit Defender log first.

Open up Outlook and locate the email with these details.

Subject: Payment Receipt][From: Paycom Support

Once you find it, double delete it so it is completely gone.


Now everything else the BitDefender is finding is undo reg files from System Mechanic. Depending on the version that you have, you should do something like this.

Open System Mechanic and click on Fix.
Select Fix Registry Problems.
Select Undo options from the top.
From the list of backups select the one from 2/1/06.
Click Remove Selected Item.
Close System Mechanic.


Now rerun Bit Defender and let's see if it comes up clean.

Can you give any details about what Norton is popping up with?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Taymar

Taymar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 01 September 2006 - 11:37 PM

Thanks

I have now located that email (there was a hell of a lot of junk on this pc :thumbsup: ) and deleted it for good.

Ran System Mechanic; all things found now fixed.

Ran BitDefender again and this time, no Norton pop-ups! But the log still shows NetskyD, please see below.

Thank you for your help so far... we must be nearly there!


//-----------------------------------------------------------------
//
// Product: BitDefender 9 Internet Security
// Version: 9.0
//
// Created on: 02/09/2006 05:30:01
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
Folders : 4664
Files : 498901
Archives : 7550
Packed files : 55234
Identified viruses : 1
Infected files : 3
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 0
Renamed files : 0
I/O errors : 27
Scan time : 01:00:19
Scan speed (files/sec) : 137

Virus definitions : 265633
Scan plugins : 15
Archive plugins : 42
Unpack plugins : 4
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1157167801.log


Summary:

C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>(Quarantine-2)=>[Subject: Re: Re: Document][Date: Wed, 1 Feb 2006 21:18:58 +0000]=>(MIME part)=>your_document.pif Infected: Win32.Netsky.D@mm
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>(Quarantine-2)=>[Subject: Re: Re: Document][Date: Wed, 1 Feb 2006 21:18:58 +0000]=>(MIME part)=>your_document.pif Disinfection failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>{D6A90E89-FA8D-4BC8-BF53-5C615DC9505A}.tmp=>(Quarantine-2)=>[Subject: Re: Re: Document][Date: Wed, 1 Feb 2006 21:18:58 +0000]=>(MIME part)=>your_document.pif Move failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>(Quarantine-2)=>[Subject: Re: Your text][Date: Wed, 1 Feb 2006 13:06:06 +0000]=>(MIME part)=>your_text.pif Infected: Win32.Netsky.D@mm
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>(Quarantine-2)=>[Subject: Re: Your text][Date: Wed, 1 Feb 2006 13:06:06 +0000]=>(MIME part)=>your_text.pif Disinfection failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>{DD7591B6-9E1A-4E8A-9CC4-7E3B15A7DC69}.tmp=>(Quarantine-2)=>[Subject: Re: Your text][Date: Wed, 1 Feb 2006 13:06:06 +0000]=>(MIME part)=>your_text.pif Move failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>(Quarantine-2)=>(base64) Infected: Win32.Netsky.D@mm
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>(Quarantine-2)=>(base64) Disinfection failed
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{FD79ECB9-2848-45D5-A389-A72E0E020601}\{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>{ECE0D26E-D828-405B-9478-BAAC0F7652FC}.tmp=>(Quarantine-2)=>(base64) Move failed

#12 Taymar

Taymar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 September 2006 - 11:17 AM

Hi Sam

Just to say that I believe the pc is now free of infection! I went through the previous log, found the offending files and removed them, then ran BitDefender again and got a clean log (pasted below). I haven't had any more Norton pop-ups either.

I have given my friend a lecture on how to keep the machine clean... I don't want to see that box ever again!

Thank you for your help with this; it has been greatly appreciated. :thumbsup:

Tay


//-----------------------------------------------------------------
//
// Product: BitDefender 9 Internet Security
// Version: 9.0
//
// Created on: 02/09/2006 15:58:48
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
Folders : 4655
Files : 498387
Archives : 7518
Packed files : 55188
Identified viruses : 0
Infected files : 0
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 0
Renamed files : 0
I/O errors : 27
Scan time : 00:55:09
Scan speed (files/sec) : 150

Virus definitions : 261335
Scan plugins : 15
Archive plugins : 42
Unpack plugins : 4
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1157205528.log

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 PM

Posted 02 September 2006 - 08:01 PM

Great! :thumbsup:

Here's a few final suggestions for you to keep things running smoothly.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:flowers: :huh:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Taymar

Taymar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 September 2006 - 10:36 PM

Hi Sam

Thank you for the information. I had recommended most of this to my friend, but didn't know about the disabling/re-enabling of system restore nor SpyBlaster. I have certainly learnt a lot from this experience!

I think (and hope) that this thread is now closed. :thumbsup:

Thanks again for your time, patience and helpful advice.

Tay

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 PM

Posted 03 September 2006 - 01:30 PM

I'm glad I could help you out! :thumbsup:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users